Tuesday, January 15, 2008

Trust is a Simple Equation

[Begin rant]

OK. If security vendors don't get this simple equation, then we might as well all give up and give in...


If you don't know if a computer has been rooted or botted (apologies to the English grammar people-- computer security words are being invented at an ever-increasing rate), then you cannot use that same computer to find out if it has been rooted or botted. Let me say this slightly differently: If you don't know if a computer is worthy of trust (trustworthy), then you cannot trust it to answer correctly if you ask it if it is trustworthy.

It doesn't work in real life. It's stupid to think that a person you just met on the street is trustworthy enough to hold your life savings just because that person says "you can trust me" (or even something of less value than that, probably of any value). My father used to say "never trust a salesman who says the words 'trust me'" because of his life experiences that suggest they're lying most often when they say that (although that may not be statistically relevant, it's relevant as an anecdote).

So why in the world would we EVER trust a piece of software to run on a computer whose state is unknown-- whose TRUSTWORTHINESS is unknown-- to determine if it (or any other system for that matter) is trustworthy???

That's why many NAC implementations fail. It's opt-in security. They send some little java (platform independent) program to run and determine trustworthiness, like presence of patches, AV, etc. Of course, all it takes is a rootkit to say "nothing to see here, move along" to the NAC code. We've seen implementations of that.

So why in the world is Trend Micro-- a company who should KNOW BETTER-- creating code that does just that? RUBotted is the DUMBEST, STUPIDIST, MOST [insert belittling adjective here] idea I have ever seen. It works by running code inside the same CPU controlled by the same OS that is believed already to be botted-- why else would you run the tool unless you already suspected the trustworthiness to be low?!?

This had to have been either designed by a marketing person or a complete security amateur. It attempts to defy (or more realistically: ignore) the laws of trust! How long is it going to be before bot code has the staple feature: "hide command and control traffic from the likes of RUBotted"?


And then eWeek is suggesting that this will be a paid-for-use service or application?!? People, please don't pay money for snake oil, or in this case perpetual motion machines.


This just defies nature. If you wouldn't do it in the "real world", don't do it the "cyber world".



Now, if you could use systems you already know to be trustworthy (i.e. computers that you control and know that an adversary does not control) to monitor systems about which you are not sure, then you may be able to make a valid assertion about the trustworthiness of some other system, but you MUST have an external/third-party trusted system FIRST.


And don't forget that "trust" and "trustworthiness" are not the same.

[End Rant]

4 comments:

eCurmudgeon said...

Is it just me, or do people need to go back, re-read the "Orange Book" (otherwise known as "Department of Defense Trusted System Evaluation Criteria", and written back in 1985), and pay particular attention to the concept of the "Trusted Computing Base"?

fainthearted said...

...and one really cannot trust AV sw, personal FWs, host IPS, etc...and private networks ...and even servers...so we might just as well not put any security layer in-place...and perhaps not use networks at all...Your rant against NAC trustworthiness is naive but you are not alone...

securology said...

Hi fainthearted,

First, I appreciate you commenting.

Second, I'd like to point out that trustworthy computing CAN be done, just not by asking the system in question if it's trustworthy. In the real world, you ask somebody you already know well about the trustworthiness of somebody you do not know well. OR, you carefully watch and gather a well-informed (some people are much better than others at this) opinion about the person in question.

If RUBotted was a tool that you could use to monitor other unknown systems from a system you know and trust to see if any "botted" behavior happens from the unknown ones ... that would be different. And there are some NAC vendors who try to implement in that fashion. That's the only way that determining trustworthiness (in this case via NAC or malware detection) will really work, but ... it's hard work. There's either default-allow signatures (which don't keep up and scale well) or there's behavioral techniques (which are severely prone to false positives).

Another fundamental problem in NAC, is that most implementations are done under the notion that the "network" is the asset you're trying to protect. If you're trying to protect your "network" as the asset, I promise there are hundreds of even more fundamental problems in your security practice. Remember the assets are the data-- not the network (nor the computing hardware, the OSes, or even the applications). The problem statement for NAC implementations is often wrong. If an enterprise could efficiently access, store, and process information without computers, networks, etc., they would. They're only mediums-- not assets.

That's not to say that because we do use computers that we will skip protecting low-level integrity of them. If we understand Trust well (and if we want to trust the data processed, transmitted, and stored within these systems), then we have to understand that we have to protect them or anything we build on top of them is pointless. Of course, if you really understand trust well inside of computing (today), then you're likely very depressed. If you're not depressed, you probably don't understand trust in computer systems very well.

kurt wismer said...

@securology:
on the one hand i agree with you about not being able to trust the suspect machine but on the other hand i fear that such logic sounds the death knell for the entire idea of behavioural detection...

i think perhaps we have to accept that no security control is perfect and that while something like RUBotted can't be trusted to tell you you're safe, it can still be a useful part of one's security arsenal if it detects things some of the time...