Stupid Net TricksBy Bill Cheswick. Bell LaboratoriesSummary by Jerry Peek Bill Cheswick suspects that history will say the Internet started in 1991 or so. Before that, we were just experimenting: "the stuff I used to do that was arcane-is now arcane and highly relevant." As Bill showed in his invited talk, there are plenty of gaping security holes left to plug. The net is an easy place to be anonymous, and we all know this. "You can send mail to the [US] President from me, and it'll look like it comes from me. . . . It's easy to launder IP connections, which means you can hack from your basement looking like someone else. And this is really somewhat of a difference from the phone system, where there was at least a return number that some phone company would know about. . . . It takes a lot of effort to chase someone down. You have to make someone really mad, and be really stupid, to get caught doing Internet hacking." "So what have we learned so far? We've learned that software is really hard to write safely." Bill gave the example of Marcus Ranum, a security expert, who wanted to make the ultimate identd-one that would be so simple it couldn't have a bug. He sent his one-page program to Steve Bellovin who checked it over and found a security hole. For security, of course, simple is good and big is bad. And the sysadmins are "usually clueless . . . the real denial-of-service attack is wearing out the gurus." He talked of a "software arms race" between the hackers and the coders. "When the arms race is done, and everything is perfectly secure, everything's encrypted and strongly authenticated . . . we're still going to have denial-of-service attacks, because any public service can be abused." If the US government declares that encryption software is a munition, so is network software like ping and trace-route. "It's too late to protect [networking software] by the laws that we're using. . . . The stuff that you use to manage a network every day is just as offensive as defensive." He gave an example of the (Coalition) military destroying a bridge in Iraq during the Gulf War, probably to destroy fiber optic cable running along it. But we net experts could probably also take out the fiber, for a while, by denying service on its network. It's hard to simulate the Internet for testing. "Think of the Internet as a giant heap of spring mattresses which you hit with a wrecking ball. . . . This gives you the sort of nonlinear oscillations that actually happen there." Bill worried about the next exponential attack on the net; AT&T's intranet is larger now than the whole Internet was during the Morris worm attack! And these days, a lot of the net runs just a few big operating systems-Microsoft's, I believe he meant-which leaves it vulnerable to Morris-type attacks. Every feature added to software is another feature that can be abused. For example, if you're running a program that someone else gave you (like a Java script) and you give the program access to the CPU, the program may abuse (at least, overuse) the CPU. Give it screen access, and it may abuse the screen. Give it email access . . . and so on. While marketers push for more and more features and security people push back (mostly ineffectually) for fewer features, the risk goes up-and most major software vendors don't seem to be too concerned. Bill spent another hour giving a depressingly long list of clever (and obvious) tricks for abusing systems and networks. We all have some work to do. Originally published in ;login: Vol. 22, No.2, April 1997.
|
webster@usenix.org
Last changed: May 28, 1997 pc |
|