PG - Bridging the Air Gap: Cross Domain Solutions - Patrick Orzechowski

really yeah cool obviously it's not yeah I know let's wait for these guys to fail

like tomorrow's Patrick or Zukowski is talk today is how abrading the air gap across the installation you're fine so can everyone hear me okay good yes okay speak up a little okay there's no mic so before I get started does anyone have any experience with CDSs that they won't admit to well this one person so a little background on myself as far as cdss are concerned I tested and audited and evaluated CDSs for an intelligence community customer for about five years so that's where I'm coming from that's my point of view with this talk and the obligatory disclaimer slide I'll let you read that I won't read it but the most important piece is no classified

material is going to be discussed here so what is the CD s to talk about what if cdss first you have to define a classification domain so you have for example secret top secret unclassified and traditionally those networks have an air-gapped right so no logical connections between those networks to transfer data from a producer of data to a consumer of data between classifications people had to burn cds they'd use USB thumb drives scan the data and then move it to another classification domain hence the term sneakernet so for the years the government did that post 911 they got the idea of using cdss to connect different classification domains different agencies together and the definition of a CD s to me is the

connection of two distinct classification domains so secret to top secret unclassified the secret unclassified the top secret so you might think that's a firewall or just a filter no it has some distinctions selinux or trusted solaris it'll label the data coming in on either side so packets will be labeled a secret top secret unclassified and those are those are distinct separate domains on the system it uses mandatory access controls so no discretionary access controls that the access controls are set by the system even system administrators cannot change access controls and type in data driven security this is important because it understands the data that's flowing through the box right so not only are allowing just important protocol you're

allowing and it's it's available to be leaked I don't know but it's probably a good idea to protect some of this critical infrastructure with something like a CD s and Enclave might help here too if I built a system to protect my citizens from rockets falling down on their head I probably don't want that information to get in the hands of my adversaries so making sure that data that's critical is not flowing through your network is is is important some examples of CD s dataflow proxy push pull and one way transfer and I'll go through each quickly data flow and proxy you'll have a TCP connection on either side or UDP connection on either side

you're actually connecting to the CD s the guard push-pull is a pretty cool paradigm acts as a client on both sides or one side of the other right so we'll look at that and one way transfer is basically one way fiber transfer to get data into a network but data cannot flow out so this is an example of data flow this is a this is a company sidebar there from the UK actually so us isn't the only ones that may cross domain solutions there they built a guard that does XML and you can see not only does it understand XML is flowing through it does all these checks as the data flows through it does a virus check schema

embedded content that's what I just talked about it actually knows the tags that are flowing through it right a white list of tags XML tags that are flowing through it and it understands the embedded content within those tags so if it's supposed to be a 10 digit integer that's all that can flow through it if it's nine digits if its ASCII text it'll drop that that traffic and all sorts of other things a cig check label checking transform normalize transform and normalize would probably be something like data scrubbing so if there's a dirty word in there an acronym that's classified it might it might drop that push pull this is an interesting example because the CD s here acts as a

client only so it'll go out to file servers on the unclassified side and the secret side in this example and just push push and pull files and act as a client you can have hardware or software fire walls on either side so let's say the unclassified side gets compromised by attackers and they do a scan in your network they're not going to see this CD s it's going to be a MAC address only on the switch right the only way that they would be able to get into this Enclave is to compromise this file server and see that some weird system is actually connecting and pulling data which is a pretty interesting and cool way to hide

in black hole your CD s from the bad guys one-way CD s is pretty simple this is called the Fox data diode this has transmit and receive on the black side and on the red side you have a one-way fiber transfer so transmitted on the data diode and receive only on the red proxy server over here so it's connected only one way with fiber so it physically cannot transfer data back through to the unclassified side and this is a really good way to pull data from the internet from unclassified networks ntp data gps data for example or if you're mining social networks or monitoring people on the internet this is a good way to flow

data back in your classified tie for analysis right take a drink of water sorry dry so some pros cost right you don't have to pay the guy to burn cds and transfer data between your classification domains anymore data sharing you can share data between classification domains between agencies on a more quicker basis make it more available internet data you can pull data from the internet into your classified systems without actually worrying about data reversing out power and cooling is another example i thought of raytheon makes a product a thin client where CD s sits in the middle and they can actually virtualize desktops from different classification domains so if a guy has six different workstation

others desk you can actually collapse that into one thin client and and if you've ever been at a government facility a lot of guys have you know secret top secret on classified work stations all over the place if you can collapse those you save them power and cooling some cons cost is a con to write if the more complex the system a data flow system for example the more it's going to cost for those experts to come in and and configure that for you availability if your CD s goes down if your data center is taken out do you have the ability to come back and institute that sneakernet if you fire that guy that you

didn't need anymore right vulnerabilities and complexity kind of go hand in hand these systems are built mostly using open-source cots products that kind of stuff so it's really a it's really scary to think that you're introducing a connection where there wasn't a connection before and on an air gap network with potentially vulnerable software and complexity the more systems you connect together the more chances there are you might miss configure it right and data might flow the wrong way or you leave a hole open and the bad guys can get in some examples of cots gots products Raytheon's high-speed guard boeing hardware wall TCS trust cigar these guys got bought by Raytheon I think and north of Grumman smart necks

which is an email classification filter so you can send emails between classification domains there are dozens of these I put these up here because there's a theme here right these these are government contractors these aren't software companies so oftentimes they'll build these systems on like I said cots and open-source products and their their focus isn't software building so it's kind of scary to me a little bit um this is Boeing's hardware wall this is right off their site you'll see here different classification domains top secret secret unclassified and within those are different compartments and this is hard to see I know but I put this in here because I wanted to show how complexity systems can get very quickly

theoretically you have unclassified internet down here and you have top secret sei compartments up here and they're connected via the same box right so any vulnerability in the system ne ne se Linux vulnerabilities or vulnerabilities introduced by misconfigured policy or software would allow an attacker to jump from here to here right and that's a that's a bad thing the mdx system I run ran across this this isn't this was a new one to me they were nice enough to share exactly what software they use to build their CD s on their website and i don't think i would run oracle java on my CD s i wouldn't run my sequel and splunk on my CD s those are

traditionally vulnerable cots products that if you're trying to separate classification levels and you're protecting critical data critical infrastructure it's it's a bad it's a bad day this was another new one to me these guys hit me up on Twitter and they told me to check out their product when I saw that I was doing this talk and I asked them I said so you're using selinux trusted solaris what's your trusted platform underneath your your CD s and they responded I'm going to quote here it uses algebraic modeling for new implementation of trustworthy computing selinux trusted solaris equivalent but usable and my vaporware meter kind of kind of spiked a little there they have some smart guys working for them but if

i was going to build a CD s i probably use a known trusted platform right

so what do you look for when you're testing these things it's similar to testing commercial networks commercial products think like an attacker data exfiltration confidentiality is key that's the number one of the CIA triad when you're looking at cdss you're trying to keep the data confidential on the one side remote control is there a way to shovel a TCP reverse shell through a CD s2 to command and control a classified Network a one that controls drones for example or one that controls the submarine networks I you know the possibilities are endless because these things are deployed everywhere data integrity can you send an authenticated message through a CD s that could potentially be misconstrued as an actual

message telling people to do things like sink a ship data exfiltration similar exfil textual techniques for dlp how do you get through those strongly typed XML fields can you encode the data right you might know that it takes a 10 digit number but can you encode data within that to exfil classified data from top secret a secret some other things off the top of my head TCP options you can encode data there ipv6 headers HTTP headers regular data encoding base64 encoding if you're not looking for that it will pass through your CD s and potentially get get out steganography if you're passing imagery data people can hide stuff in there right so what's different about testing a CD s

every control is relevant right if you ever have done certification accreditation on government systems the more controls the harder it is to pass it the harder it is to actually test it and when you're looking at something like NIST 800 there's 600 plus controls that are applicable to these systems so it's makes it really tough really challenging to test these systems you might have competing agencies right you might have the FBI on one side of a CD s and NSA on the other they have completely different ideas about how they want to secure their systems right and it creates a whole political firestorm and it makes it difficult non-traditional so what I mean by that

is the old-school guys don't want to connect secret and top secret or different classification domains they don't get the warm and fuzzy seeing an actual connection between these two networks right so you kind of have to not do a little bit of smoke and mirrors but give them the warm and fuzzy that these systems are actually are actually secure and built with a trustworthy platform right and there's common criteria and the folks that know how to test these systems kind of build the executive report so people understand that they're they're taken due diligence the government saw fit to build a unified cross domain management office so this website went online according archive.org about 2007 and they they

went offline in 2013 so i'm not i'm not sure what happened to this office hopefully they didn't get cut budget cuts or sequestration or any of that because i think it's really important to to have one overarching office oversee these cross domain solutions right otherwise each agency each each compartment is is handling their own business and they they had an approved products list and they had a set of controls to test cross domain solutions against and and now they're gone but there's still a bunch of data on archive.org got a link in in my links to that some commercial uses skata I know the data diodes and one way transfer systems are starting to protect networks utilities that kind of

stuff finance IP vols forensics networks I'm thinking if you could tell a judge that there's no way data can get out of your forensics network that you're keeping that data safe potentially it's kind of like a write blocker on the network transportation systems I'd like to know that trains and planes and cars are being protected by systems that are strongly typed that are our white listing instead of blacklisting which is what most people are relying on nowadays unfortunately some challenges I kind of talked about these before binary data if you're if you're if you have images flowing through your CD s how do you know if that's classified you kind of need to set a human eyes on that say hey

this is a satellite image that shouldn't pass through and then maybe put some xml metadata on that image encryption if you don't have the keys you can't see what it is so it'll flow right through speed and rfcs you kind of see with commercial proxies as well the more you inspect the traffic as it flows through the slower it gets because more CPU cycles that kind of thing RFC's different different developers have different ideas of how to implement protocols so these cdss break things often data classification and this this one's kind of near and dear to me because people tend to over classify their data they tend to think that their data is way more classified

than it actually is and if people would classify their data correctly it would eliminate the need for these cross domain solutions it would eliminate the need for secrecy and maybe we could have a little bit more transparency serious concerns AK what keeps me up at night these systems are developed and configured on unclassified networks so what's to say you're not downloading a package that's Trojan when you're using open-source software to build a CD s that leads to the chicken or egg problem once you plug a CD s into a highly classified Network it takes that classification it matically becomes that highest classification then you run into the chicken or egg problem and I just talked about that reciprocity is a

term that people use for evaluating products like stay at juniper firewall once it's evaluated a certain level then it can be deployed without actual testing and because these are built specifically for certain programs projects and protocols there they need to be tested individually you can't just say well I bought a bowling hardware wall and I'm going to plug it in and I don't need to test it or pen test it because I'm it's been tested against that level before the idea of a crossover process so with trusted computing you you have to have something when you're transferring data to actually transfer the data between the highly sensitive side and and the unclassified side and this is your this

is your trusted process this this is this is the process that actually transfers data it's the equivalent of the guy that burns cds and transfer them back and forth so what's to say there's no vulnerabilities who's looking at the source code of these crossover processes that are being built on different guards there could be vulnerabilities maybe people have found vulnerabilities in these that allow data to flow the wrong way for example and this is I think this came from postgresql security enhanced postgres SQL which is a cross-domain kind of our DBMS some takeaways from the talk CDSs need to be tested and tested and tested find some smart pen testers to go in and try

and hack these things because they're protecting our most secret and important classified networks no more air gap networks that I don't think there really are any more air gap networks unless it's so legacy that it doesn't support tcp/ip there aren't any more air gaps whether it's six degrees of separation or 60 degrees of separation somewhere down the line everything is connected to the internet which is a scary scary thought to me de facto builds operating systems cots products should be scrutinized open source right we saw with openssl that was considered a trusted platform and is used all over the place and had a serious serious bug no more UCD mo I'm assuming this and it's scary if they're there aren't any

more management office to actually oversee the approved products list for these CD asses access control take it out of the users hands don't let users set access controls for critical files and critical infrastructure discretionary access controls are dead don't use them anymore start using selinux future project potentially open CD s open source cross-domain solution distro that would simulate what I've seen in my experience and it would be for testing purposes only obviously and built using traces tools open source tools that they have for building selinux policies and things like that if anyone's in selinux expert and wants to help me with that maybe you can can hit me up on twitter so any links references

are on this tumblr I posted them yesterday special thanks to fill my mentor and b-sides for having a mentor track this wasn't a very popular talk but it was cool to give it and thanks to my wife and my mom who will find this video no matter how obscure it maybe that's my contact info and any questions all right I talking about one way sure so this only allows data into the network so you'd have to use something connectionless like UDP to shovel data across yep put it on this proxy server and then it would shovel it via one way transfer over here that's a good question you had no TCP connections here because you don't have a reverse

fiber to allow that you know since an ack ack transfer there good question yeah yeah I mean theoretically anyone could purchase one and implement it I've never seen a commercially implemented CD s I know friends that have worked in utilities and things like that said that they're that these things are being sold to them as kind of a not a silver bullet but a way to protect their SCADA networks without implementing a whole bunch of other controls thanks good questioning i was working i just hadn't even know what you know i was just it's interesting you're cool and did you did you know how critical the systems you are looking I knew what the petition was God you

have didn't have any access to was anyone looking at your source com cool

um lack of knowledge you know selinux is that thing you turn off yeah I don't know that's a really good question I I think I hate to say it because I'm assistive in myself but I think Simmons keep that discretionary control right they want to keep that root over the whole system and they don't they don't they don't want to give up their role as God I think that might be a part of it um but yeah I don't know I it's hard it is a simple answer right it's really hard to implement mandatory access controls it takes it takes time and knowledge right so you can't just flip a switch and have it and in tradition

right I don't know what do you think

yeah okay yeah I don't know so I think I'm out of time but if anyone wants to talk we can go to the chill-out room and talk thanks thanks for your time appreciate it nice late in the day