6.826—Principles of Computer Systems 2004 31. Paper: Computer Security in the Real World The attached paper on computer security by Butler Lampson was presented at the Annual Computer Security and Appli- cations Conference in 2001. Handout 31. Paper: Computer Security in the Real World 1 6.826—Principles of Computer Systems 2004 Computer Security in the Real World Butler W. Lampson1 Microsoft Abstract Today half a billion people all over the world are on the After thirty years of work on computer security, why are Internet, including you. This poses a large new set of prob- almost all the systems in service today extremely vulnerable to lems. attack? The main reason is that security is expensive to set up • Attack from anywhere: Any one on the Internet can and a nuisance to run, so people judge from experience how take a poke at your system. little of it they can get away with. Since there’s been little • Sharing with anyone: On the other hand, you may want damage, people decide that they don’t need much security. In to communicate or share information with any other addition, setting it up is so complicated that it’s hardly ever Internet user. done right. While we await a catastrophe, simpler setup is the • Automated infection: Your system, if compromised, most important step toward better security. can spread the harm to many others in a few seconds. In a distributed system with no central management like the • Hostile code: Code from many different sources runs Internet, security requires a clear story about who is trusted on your system, usually without your knowledge if it for each step in establishing it, and why. The basic tool for comes from a Web page. The code might be hostile, telling this story is the “speaks for” relation between princi- but you can’t just isolate it, because you want it to pals that describes how authority is delegated, that is, who work for you. • trusts whom. The idea is simple, and it explains what’s going Hostile physical environment: A mobile device like a on in any system I know. The many different ways of encoding laptop may be lost or stolen and subject to physical at- this relation often make it hard to see the underlying order. tack. • Hostile hosts: If you own information (music or mov- 1 Introduction ies, for example), it gets downloaded to your custom- ers’ systems, which may try to steal it. People have been working on computer system security for All these problems cause two kinds of bad results. One is at least 30 years. During this time there have been many intel- vandalism, motivated by personal entertainment or status- lectual successes. Notable among them are the subject/object seeking: people write worms and viruses that infect many ma- access matrix model [12], access control lists [19], multilevel chines, either by exploiting buffer overrun bugs that allow security using information flow [6, 14] and the star-property arbitrary code to run, or by tricking users into running hostile [3], public key cryptography [16], and cryptographic protocols code from e-mail attachments or web pages. These can disrupt [1]. In spite of these successes, it seems fair to say that in an servers that businesses depend on, or if they infect many end- absolute sense, the security of the hundreds of millions of de- user machines they can generate enough network traffic to ployed computer systems is terrible: a determined and compe- overload either individual web servers or large parts of the tent attacker could destroy most of the information on almost Internet itself. The other bad result is that it’s much easier to any of these systems, or steal it from any system that is con- mount an attack on a specific target (usually an organization), nected to a network. Even worse, the attacker could do this to either to steal information or to corrupt data. millions of systems at once. On the other hand, the actual harm done by these attacks is The Internet has made computer security much more diffi- limited, though growing. Once or twice a year an email virus cult than it used to be. In the good old days, a computer sys- such as “I love you” infects a million or two machines, and tem had a few dozen users at most, all members of the same newspapers print extravagant estimates of the damage it does. organization. It ran programs written in-house or by a few Unfortunately, there is no accurate data about the cost of fail- vendors. Information was moved from one computer to an- ures in computer security: most of them are never made public other by carrying tapes or disks. for fear of embarrassment, but when a public incident does occur, the security experts and vendors of antivirus software 1 [email protected], research.microsoft.com/lampson Handout 31. Paper: Computer Security in the Real World 2 6.826—Principles of Computer Systems 2004 that talk to the media have every incentive to greatly exagger- Why do people live with such poor security in real world ate its costs. systems? The reason is that real world security is not about Money talks, though. Many vendors of security products perfect defenses against determined attackers. Instead, it’s have learned to their regret that people may complain about about inadequate security, but they won’t spend much money, sacri- • value, fice many features, or put up with much inconvenience in or- • locks, and der to improve it. This strongly suggests that bad security is • punishment. not really costing them much. Firewalls and anti-virus pro- The bad guys balances the value of what they gain against the grams are the only really successful security products, and risk of punishment, which is the cost of punishment times the they are carefully designed to require no end-user setup and to probability of getting punished. The main thing that makes interfere very little with daily life. real world systems sufficiently secure is that bad guys who do The experience of the last few years confirms this analysis. break in are caught and punished often enough to make a life Virus attacks have increased, and people are now more likely of crime unattractive. The purpose of locks is not to provide to buy a firewall and antivirus software, and to install patches absolute security, but to prevent casual intrusion by raising the that fix security flaws. Vendors like Microsoft are making threshold for a break-in. their systems more secure, at some cost in backward compati- Well, what’s wrong with perfect defenses? The answer is bility and user convenience. But the changes have not been simple: they cost too much. There is a good way to protect dramatic. personal belongings against determined attackers: put them in Many people have suggested that the PC monoculture a safe deposit box. After 100 years of experience, banks have makes security problems worse and that more diversity would learned how to use steel and concrete, time locks, alarms, and improve security, but this is too simple. It’s true that vandals multiple keys to make these boxes quite secure. But they are can get more impressive results when most systems have the both expensive and inconvenient. As a result, people use them same flaws. On the other hand, if an organization installs sev- only for things that are seldom needed and either expensive or eral different systems that all have access to the same critical hard to replace. data, as they probably will, then a targeted attack only needs to Practical security balances the cost of protection and the find a flaw in one of them in order to succeed. risk of loss, which is the cost of recovering from a loss times Of course, computer security is not just about computer its probability. Usually the probability is fairly small (because systems. Like any security, it is only as strong as its weakest the risk of punishment is high enough), and therefore the risk link, and the links include the people and the physical security of loss is also small. When the risk is less than the cost of re- of the system. Very often the easiest way to break into a sys- covering, it’s better to accept it as a cost of doing business (or tem is to bribe an insider. This short paper, however, is limited a cost of daily living) than to pay for better security. People to computer systems. It does not consider physical or human and credit card companies make these decisions every day. security. It also does not consider how to prevent buffer over- With computers, on the other hand, security is only a mat- runs. You might think from the literature that buffer overruns ter of software, which is cheap to manufacture, never wears are the main problem in computer security, and of course it’s out, and can’t be attacked with drills or explosives. This important to eliminate them, especially in privileged code, but makes it easy to drift into thinking that computer security can I hope to convince you that they are only a small part of the be perfect, or nearly so. The fact that work on computer secu- problem. rity has been dominated by the needs of national security has made this problem worse. In this context the stakes are much 1.1 What is security? higher and there are no police or courts available to punish attackers, so it’s more important not to make mistakes.