Systemic Vulnerabilities

hey everybody so this may actually be one of the nerdiest days of geekiest days in my entire life um i'm here presenting at besides pittsburgh my daughter is finishing up the girls of steel robotics camp over cmu and tonight is the martian new year celebration in mars pa with people from nasa coming out to talk so it's like it's a whole day of weird stuff all right so this is not your typical technical talk in fact it's not technical at all it's almost all pictures and like jono i apparently have a really acute taste for very long words in titles so systemic vulnerabilities an allegorical tale of steampunk vulnerability to aerophysical threats and that's not a mouthful at all

jono said there would be a quiz this is the quiz now if you haven't memorized this yet there's this is your last chance so i actually want to talk about a a story that goes all the way back to the late 19th century and follow that through to today so i need to cover about 137 years in the next 25 minutes so it's going to be quick but we started in paris in around 1878 with this guy jules verne and jules verne as you may know was one of the earliest science fiction authors um and in the 80s he was thinking about heavier than air versus lighter than air aircraft he wrote a book called robert robert the

conqueror that included um the whole story was a was about uh included this uh flying airship thing that was part of the debate between whether or not heavier than aircraft or lighter than aircraft would would eventually essentially win the day and keep in mind this this is about 10 years after he wrote around the world in 80 days so he'd already done the balloon thing and now he wanted to do flying helicopter ships which is really cool um i think the avengers stole the whole aircraft carrier hover carrier thing from this so this is the 1880s and jules verne writes writes a book talking about heavier than aircraft and keep in mind like at this point this is pure science

fiction no one has ever gotten anything heavier than air off the ground there's no powered flight yet so let's jump ahead a couple of years uh to and come back across the ocean from from paris to chicago this is around 1890 and chicago had some traffic problems uh there was some a lot of most most cities had just kind of gotten to the point where the population was growing in cities people are moving in from the farms uh the industrial revolution's been going on for a while and you've got a lot of a lot of traffic that requires people to start planning for things so you have an architect like daniel burnham who is known for designing buildings but he

really started getting into city planning and around this time he had a couple early successes and gradually uh or even eventually 1893 was named the uh the i think the lead architect or something longwood signs for the chicago world's fair um coincidentally the eiffel tower was built for the the paris world's fair that happened a few years earlier so uh we hopped from one world trade to the next dan burnham is the architect here and he rises to significant fame i mean there's he's got a lot of other jobs after that um meanwhile this guy andrew carnegie uh decides that he's he's got about enough money and he wants to start i don't know building universities or museums or

things and so he wants to he wants to sell off uh the carnegie steel corporation and the keystone bridge corporation and he finds a willing buyer in jp morgan who conveniently turns these things into the into united states steel and the american bridge company headquartered down the river a ways in fact the american bridge company is so important to the town that it's in that they renamed the town in 1905 to ambridge pa so the american bridge company gets a contract to build a building designed by daniel burnham in 1901 uh this this is the the flatiron built or would come to be known as a flat iron building in new york uh it's not the

first steel steel with concrete skin structure but it's one of the earlier ones 22 stories high and has this really unique shape in that it has to fit onto a little triangular lot you may have seen this this building before eventually it's finished in 1902 and it opens up and if you notice the transportation down at the bottom there's uh there's some streetcars and there's trolleys and horse carts and people on foot now here's where i'm gonna drop 40 000 day vulnerability on you so i'm going to assert that this this building is vulnerable to 315 000 pounds of aluminum with 16 000 gallons of kerosene in it flying it or moving at 500 miles an hour

that's a serious vulnerability because if you do the cvss score for it um you need to be you need to be adjacent to it and it's very high complexity because this is 1902 and there's no powered flight we're talking about you know jules verne wrote about power heavier than aircraft so at this point like there's no such thing as 315 000 pounds of aluminum flying through the air at 500 miles an hour that's just you know no one's no one's done that uh so the access complexity is fairly high um but you don't need to be authenticated and you know there's confidentiality impact that's partial because presumably if the building blows up all the papers kind of blow out

around the town but you're pretty sure you're going to have complete integrity and complete availability impact because you know you drop something that big on it it's going to it's going to damage the building at the least but we we're at cert and we don't just do the the base cvss score we do the temporal score too so we actually want to keep track of uh you know it's unproven that an exploit exists uh there's really no remediation to it and we haven't confirmed the report because frankly this is just me making it up uh based on what i based on what i wrote read in some jules verne book we expect that the building's going to

have going to maintain integrity and maintain availability um we also recognize that the collateral damage potential you know if that were to happen there's going to be a mess in the town not just at that building so there's a lot of collateral damage potential so the end score is the base score 6.5 and an overall cvss score 7.6 when i presented this to to some folks from vendors a guy from microsoft raises his hand and says doesn't this tell you what's what's broken about cvss because you've got it you've got an imaginary science fiction threat that gets a 6.5 score which is probably high enough for most people to react to um yeah i agree it's it's a little weird

but i also pointed out that i'm you know i'm totally misapplying what cvss has meant for for this talk so anyway that's 1902 based on what we know and then 1903 these guys managed to get their heavier than aircraft off the ground down in north carolina well so reality catches up with science fiction over time and vern goes back to to his pen and he start he starts writing a sequel to rover the conqueror in which the albatross that heavy flying helicopter boat thing comes back but this time there's also uh this device called the terror which is a flying boat car that goes at the blinding speed of 150 miles an hour and at this point as far as i know the only

people who have gone 150 miles an hour were falling off a cliff on the way to their death um because you just couldn't get going that fast at that point not to be outdone uh the other great sci-fi author of the time h.g wells uh happens to come over to new york to do uh to do a uh or he actually does a tour of the country of the us he was british um because he does a tour of the u.s and writes an article for the atlantic monthly and in that article he mentions you know how inspiring the the uh the flatiron building is in in his art as far as his appreciation of

american architecture he goes back to who goes back home and based on what what has happened in the last couple years you know with the wright brothers and all this stuff he goes back and writes a book called uh the war in the air which in 1908 uh had some pretty sci-fi concepts in it it's since been claimed that like this presaged most of the air war of world war one um but the illustrations have these really cool like dirigibles just all over the place so meanwhile flatiron building's still standing and this time around the the transportation has changed a little bit there's some there's some motor cars there as well as a few horse-drawn carts

and some trolleys and stuff but this doesn't really reflect the reality of the day so they took this picture back to the photoshop and added that little bi-plane in the top it's exactly the same picture on both of them they just added the plane but realistically who's afraid of planes um you know they crash and they can't even knock over fence posts well time goes on 20 years later b-25s take their first flight a pretty pretty big plane much much more significant than than the biplanes and the the right flyer also in 1939 c45 has its first flight and in 1943 lockheed uh in 143 days went from paper drawings to actually having an airframe for the first jet this is the

lulabelle in 1945 a b-25 crashed into the empire state building the empire state building is just down just a few blocks away from the flatiron building you can see it from there and in 1946 uh that c-45 that we saw a few minutes ago crashed into the tower on wall street well we better go back and refresh our cvss score so we've now got proof of concept that yeah it is possible for planes to fly into buildings the there's really no fix for it so it's unavailable but and the report conference confidence is uncorroborated yeah we've seen it happen but no one's doing this intentionally meanwhile billy joel completely disclaims responsibility for the fire and we're off to the dawn of the space

age 1962 kind of a tense time around these parts because the soviets were putting missiles into cuba you might have heard of that um meanwhile there there's we're working on on minuteman 2 rockets and they're having some problems getting them off the ground they're having some problems with failures during launch um and boeing comes up with this method of analysis for it for engineering uh called fault tree analysis in which they they have this method that's basically bad thing happens at the top and then some logic diagram that says uh here's the possible reasons that thing could happen and you can have and and or gates and all this logic that that explains you know how to

analyze this and they start using this to to analyze rocket accidents and that helps them build better better nukes um or better rockets rather uh 1967 the apollo 11 uh i'm sorry apollo 1 crew burned to death in the capsule and in the resulting analysis of that accident fault trees were used again and this eventually turns into a publication from boeing where they actually describe how to use fault trees as as an engineering tool for analyzing analyzing analyzing accidents before they happen not afterwards so they want they want this to be a proactive engineering thing and a way to help you think through problems you can have with safety that's popular enough that it actually

eventually winds up being an av faa publication um the snapshot here is actually from the 2000 version of this popular publication but the the cover is the 1970 version um so aviation starting to catch onto this whole fall tree thing 1979 a couple miles east of here three mile island has has a bit of an accident and very quickly the nuclear regulatory commission comes out with a fall tree handbook that says hey this works for aviation we ought to use this for for analyzing nuclear plants as well meanwhile back at boeing they get the 767 off the ground in 1982 it happens to be 300 000 pounds or so take off weight and carries about 16 000 gallons of jet fuel

a couple years later union carbide has a horrible accident in bhopal india um still considered one of the worst the worst industrial accident ever and in going back and analyzing that there were some folks involved from from osha and other places in the u.s that that also we're starting to use fault trees to kind of understand how did this happen what went wrong there nasa 1986 uh launches the challenger challenger doesn't make it the space um the new york times publishes a pretty scathing criticism of of nasa and says you know look they didn't even bother to do this well-established thing called fault tree analysis to to figure it out beforehand 1988 uh the piper alpha

caught fire in the north sea um this cut out let's see it was it was a sizable chunk of the the north sea oil production at the time and as a result of that within a few years osha actually publishes a process safety management in which they recommend that you really should be doing you know checklists and failure mode and effects analysis and fault tree analysis as part of your now your overall safety prog program so we've caught up to about the last 20 years um this is new york city by the way the plane the building that the c45 flew into is down at the bottom left right next to act 3 there and 1999 bruce schneer publishes a

an article in dr dobbs saying that you know hey engineering has these fault tree things and wouldn't be neat if we could use those as attack trees and so they it basically takes that same model of bad thing happens reason reason reason logic diagram thing and you can start talking about systemic systematic attacks conveniently a couple years later some folks at cert actually flushed some of that out and they published an article talking about how to how attack modeling can happen and how you could use that sort of logic in in describing uh security attacks of course same year we actually do finally see the demonstration weaponized exploit of 315 000 pounds of aluminum filled with

kerosene flying into a building and completely destroying it the temporary fix for that is that you go from this at 8 30 in the morning to this at noon you ground all the flights you put put all the jets on the ground so we've got a temporary fix we've confirmed the report um and we've got we also know that there's a functional exploit our overall our base score is still 6.5 but our our overall score is now up at 7.9 very quickly we came up with a more permanent fix which is don't let planes fly near buildings shoot them down if necessary um so now we've got we got an official fix so we went from now the temp the

temporal score drops back from 7.9 down to 7.8 so very serious vulnerability but you know we've got we know we sort of know how to deal with it also in 2002 nasa finally publishes a fall tree handbook with aerospace applications and i don't expect anyone to actually read the eye chart here but the main point is not only they have diagrams they have math remember that let me get back to it in a second 2003 colombia sadly fails to make the return flight from space and this time around the new york times says nasa is going to do a fall tree analysis to to help figure that out and whether or not the heat shedding tiles would be one of that

one branch of that tree so by 2009 nasa is really on board with this fall tree analysis thing they say it's one of the most important logic and probabilistic techniques capable of uncovering design and operational weaknesses that escaped even some of the best deterministic safety and engineering experts meanwhile on microsoft community blog in 2012 and this was actually written by somebody who didn't work for microsoft but he's like a publishing a guest article on the blog part of which is actually to talk about why emmett is a good thing and i agree and that's a great thing but his point here was that attack trees are difficult to follow visually and too labor intensive now

this made me pause for a second because nasa's thinking about fault trees as math they're thinking about attack trees as vizio diagrams now one of those is amenable to analysis and you can like you can figure things out with it the other one you can draw pictures something's not quite lining up here like we there's a lot of it there's a lot of attack there's a lot of fall tree stuff that is going on that the attack hasn't really transferred over to the attack tree threat modeling side of things all right so let's bring this back to actual like security stuff so i work it at cert uh we do vulnerability discovery um one of you know i

work on fuzzing software that finds vulnerabilities and things and the one the one idea that i can get across for how you find vulnerabilities in systems is you have what you expect to happen and what really happens so there's what what you think the software does and what the software actually does and you find valves in the places where reality it doesn't match up with your expectations so any any vulnerability you've ever encountered probably fits this diagram if it doesn't i'm curious to hear it because i've i haven't found any yet that don't really fall into that into this scenario so given that let's talk about this idea build security in great idea if you can do it do it

when exactly should the people who built the flatiron building had built those defenses in against planes because remember when they started it was sci-fi no one expected that that was gonna that the plane the planes were gonna be a thing um in in world war one planes weren't that big of a deal in world war ii we demonstrated that you could the buildings would survive plane crashes um twice in new york city right in plain view of the building you're trying to protect um you know at some point seems like somebody should have done something but i don't i don't think there's any point where you could have built the security in to that system

so realistically how harshly should you judge the people who declined to defend against threats that even science fiction hadn't really talked about when the system was deployed so the takeaway on this is that vulnerabilities can arise because the world changes around the system even if the system itself is just sitting there minding its own business and remains unchanged now that's that's an interesting point and kind of a neat observation but where does it become a problem well dan gear talking at the nsa about a year ago was was talking about embedded systems with without remote management and long lived so you couldn't patch them but they're going to be out there forever so long-lived and not reachable

long-lived and not patchable like that's that's kind of the same problem as putting a building in place and technology advances and advances and advances and eventually you wind up with vulnerabilities that are present because not because of the building change but because the world changed around it iot and and long-lived systems are kind of have the same problem so with that in mind you know how long how long do you expect your next refrigerator to last and how about your next car uh how about your light bulbs so you can buy philips hue light bulbs on amazon they're 100 bucks or something for three they come with this little hockey puck that you plug into your network

um the bulbs have a 15 000 hour lifetime use the warranty is two years how long do you think you're going to be able to get patches for that uh so so the lifespan you know the bulb is like 10 years so how long do you be able to get patches this is a threat model that i did for the for that bulb system about a year ago on some work we were doing um and we wound up and found that it had a vulnerability which has since been repaired since been patched in the philips software interesting thing was it was a vulnerability in the dns resolver that made it susceptible to cash poisoning if you

guys remember the 2008 kaminsky bug there's actually some things that go back as you know over a decade and it turns out that the dns code that was in that was from an ip stack written by a guy back in like the early 2000s he open sourced it and then it never got touched again so we actually went up and found this vault by looking at the hue stuff but it turns out it was actually in the ip stack which is in other operating systems like contiki which is this iot operating system we reported it we took care of it and everything but i don't think philips is really planning on a 10-year lifespan of patching vols in their

software in their light bulbs so what are we going to do about this well if you're building these kind of systems you're building iot things you're building control systems you know anything that has a physical life span that's measured in decades or long long time frame you know please design for adaptability to environments that become more hostile over time second point here is that threat modeling and attack tree analysis have a lot to learn from the folks that do safety analysis safety people understand fault trees they understand failure modes effect analysis there's all sorts of things that you can talk to them about and part of what we've failed to do so far is get the point across that uh

when you when you bolt a network stack onto a thing that's been engineered for safety you may not be safe anymore like i don't think you can be safe without being secure without security if you've got those two things put together so that conversation fine um that conversation needs to happen and it's about it's about us you know the security folks starting to talk to maybe starting with the safety people starting with the engineering people but talking in a way that they can understand this is why this is important and you know some defense mechanisms field upgradability is really important like you should be able to upgrade things after they're deployed layered defenses planned obsolescence

stuff that's out there for too long the world may change enough that it's no it's not possible to secure it anymore also read more science fiction so we've got a few a few projects at cert that are kind of hitting in in this space i already mentioned the vulnerability discovery and our systemic vulnerability programs where we're really trying to reach out more less less to the the traditional software um vendors and and more to the people who are re they're relatively new to the internet connected stuff but they've been engineering stuff for a while so we're trying to have that conversation um you know on automotive or industrial control um iot medical devices all of those fronts

there's also some work going on at the sei on model driven architecture which can actually emit fault tree analysis from architectural models so how did i get the idea for this presentation this is the view from my office at cmu back when i was at the other building um and if you ever noticed if you're outside in pittsburgh for very long uh these kc-135s are always flying around town and from the perspective i had they were always it always looked like they were flying behind the cathedral of learning i was just sitting there one day and like wait those planes are newer than the than the building but the building doesn't have any defenses against them

and that would be bad so that kind of just got me digging into looking for buildings that predated the wright brothers flight and the flatiron building happened to be one um conveniently it had had the the pittsburgh connections uh to go along with it but that's that's the origin of this story um hopefully it gave you some things to think about and i'm happy for any questions if you've got any

so there are um the folks that are doing fall tree analysis already already are doing like probabilistic assessments and like they they can do calculations and things on those trees um the the issue the big difference between fall trees and attack trees isn't i mean they're both exactly the same logical construct the difference is that uh with an attack tree you're you've got an intelligent adversary you're not just trying to defeat physics chemistry and probability of accidental failures so we can talk about mean time to failure on mechanical components we can't talk about mean we can't as easily talk about how probable is an attack today right so yeah it's possible to propagate it through but some of the difficulty there

is just understanding those differences um i'm not i'm not suggesting that you know we're stupid for not having noticed this whole thing over here i'm just really just kind of trying to point out that you know there's this body of knowledge that already exists that if we could figure out how to map our problem onto that not only can we have a good conversation with those people but we also might be able to improve security analysis as well as the analysis of these other

you could confirm the things or confirm that there was a fixed bill the score was not really heavily affected so is that apparently a problem cbss if the things aren't weighted properly you think or do you think it could be that there isn't enough uh like everything has to be absolutely it's one of these three things as opposed to the gray areas um so i think i think pigeonholing uh does definitely happens with cvss um in terms of the yeah everything has to fall into a certain category um there's currently work through first to come up with cvs sv3 um first conference is happening this week as well so i'm not sure where that's where that's going to land at the

end of this week but um so cvs3 v3 is coming it does have some improvements to the cvss v2 i'm not as familiar with that just yet um and i think i think it does actually improve some of this so that it'd be a little a little bit clearer although there's al there's other criticisms of cvs sv3 too that you can go read about online so there might be like more granularity there's there's some and they've broken out a couple categories so that it's not you know cvss v2 is really thinking about uh the worst thing that can happen is that you own the box cvs sv3 starts to think about as well well not only could you on

the box but you might be able to steal the data and stealing the data gets low scores on cvss v2 and it will get higher scores in v3 so yes sir

are the are the current security methods outdated for the internet of things um i think it's i think it's i'm not sure that we scale well enough in our in our processing and we've we've run across even with android apps we found 24 000 vulnerable android apps last year and that just about broke everything in the coordinated vulnerability disclosure process and so there's a the more things there are the more problems they're going to be and i don't know that we necessarily have the ability to to fix all those but more importantly anyone who's involved in in iot things like it's not so much that our processes are outdated for security it's that the code

you're putting into them may be outdated so you've got binary blobs that already have ip stacks built into them um i found that vxworks just had there was just an ics cert alert yesterday vxworks has tcp initial sequence number of vulnerabilities which we published on in 2001 2002 um there there are lots of lots of old old old code like pre-1999 uh you know it forked from they fought something from g libsy and then they've gone off and done whatever they've done but if you go back and look at g libsy voles you can find a whole stack of them in the last 15 years and none of them have been patched in these you know small embedded operating

systems so i i would go go back and ask questions about where the ip stack came from where the dns resolver came from and all of those network walls that we had over the last 15 years they're all still there and they're probably going to come back and show up in this all these iot devices so thanks thanks