[Model-t] My thoughts on a substantive threat model
Watson Ladd <watsonbladd@gmail.com> Wed, 07 August 2019 06:05 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96AA1200E3 for <model-t@ietfa.amsl.com>; Tue, 6 Aug 2019 23:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97O6k2K9_VXz for <model-t@ietfa.amsl.com>; Tue, 6 Aug 2019 23:05:11 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C4C1200DB for <model-t@iab.org>; Tue, 6 Aug 2019 23:05:10 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id v18so84247385ljh.6 for <model-t@iab.org>; Tue, 06 Aug 2019 23:05:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=jLRiRhRK42fFJNHNx+8rxOXp9Bsq7AJj7oiyfdzCr9I=; b=oJm1o/5yLJ4TabFpqfEvfrbT6RJQ1c15XWpexvDAO1yZAZc0l/lhPAScxLytYmkeaq 6v9ANInCzxqGcXYYT5/cAr7FdSDFlmzBkbtW5qUIAuggy1AN3tv717WzA+e5DYNjoUDc A48h9nJGZqTI/B6CPc7RwFWgCDjLNXyUXOG1e6fY20GVO6QQKFv2BkPEanOwRAUoo23f orhc9JVFwljDBvg2W4YkC3gsj3KggV3wRP2amESu5g07s3ehw9ZsAnjAGlB+ZkySshv8 FPRLdsY/1ONqtklEMIpgDFgqZViM+FAnAGZjKz2wvNKH+pbqxMhxGBuiYiU5Bd5k2VQn dvbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jLRiRhRK42fFJNHNx+8rxOXp9Bsq7AJj7oiyfdzCr9I=; b=SsSEICSSNWdWv6rx8CqFqAKUtslqt6PYJAJSZIBOXqs+02k9UVFIX2ga97UU1C6UyY mk5DtcGnAvNXFxoCE59SW4ITLWdDcuCVXtSjM+avlE3xMa2SMM2qNFKbbCBvRw2+0OW2 mDCqgbXVIWq42LGI5Km9Qbm+GQXSuxAH9RBQVg3Y70Pzit7AYsnTiUK/sZnrDX41tmk6 2jFyXxyGdwYrHDd6AHqIUdlHj5eu7zmH4yDgkeyXQJDNtcIy3v72YJJ9+ZSdHuFuiU5w qm5N4dXO+XZpwks7bm3gRMTDpnuDgKei1q7M6ShkNA93nwFNQQr048JGMbYJW3UUNrdU lgZw==
X-Gm-Message-State: APjAAAUH8O/3n9BiI8EEEDSUoa7J9Q//syPTcjGOcKl5LSbrHK34oW7a zNDhpJi6LVVulxCYDGI+F7h+mvG68guGseTo242qhnYr
X-Google-Smtp-Source: APXvYqzDFodCvcQ6IzwYGcmvkU92nLaOUFt2LAtOl50KLQpcOQv16nbpp1DVnWwbM9TtE9bvx5TpLNVDEDpK/BA1pmM=
X-Received: by 2002:a2e:b0e6:: with SMTP id h6mr3576164ljl.18.1565157908411; Tue, 06 Aug 2019 23:05:08 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 06 Aug 2019 23:04:56 -0700
Message-ID: <CACsn0cmNEYE_oBbZk3mKHAWrBnbrqZJ1ZbCnqjpmCwd7ATRA8g@mail.gmail.com>
To: model-t@iab.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/1ItcFej_MrbBJaruh4IpPjp-B3I>
Subject: [Model-t] My thoughts on a substantive threat model
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 06:05:13 -0000
Dear all, Below are my typically uniformed and overly indulgent musings. Since we are talking about threat models I decided to go back to read one of the great examples, the Ware report. While from a time before networking it manages to anticipate a great many of the threats that we discuss on end user systems, and the great difficulty of security in an open environment. However, now we have the ratio of computers to users being greater then one and the challenge is protecting users from "themselves" but really the programs they run, something for which traditional OS models are very unsuited. (I assume of course that one can implement a security policy and enforce it: absent this assumption which only seL4 meets, all is hopeless) But we live in a networked world, and the fundamental gap between endpoint security and network security has always since the days of NFS been the general non-representation of principals on the network. A browser has a very nontrivial task of enforcing a very complex security policy, and a web application has all sorts of ambient authority both in the browser and when making requests to other services from its server that can lead to problems, recapitulating the ontology of the kernel. The only two systems I know of that really tried to address this are Plan 9 and Ethos. Athena and AD on Windows can come half-way, but they aren't very universal: most Windows machines aren't part of AD in any way, and websites certainly don't use it mostly. I'm certain there are other attempts, and I am not as familiar with Athena and Windows as I should be. If we want to make an adequate threat model including endpoint security, it's hopeless. Endpoint compromise leaves one with nothing, likewise host compromise (even ignoring that these are traditionally differentiated on budget) You need an enclave ala U2F security keys, but that needs to be done correctly, and even then helps marginally. (They get to read your email when logged in, but don't retain access. A win? Yes, but they still got your email) But what I think we can do is pay attention to principals and the sadly distributed nature of security policy enforcement, and try as much as possible to make mechanisms that are in one place and easy to use to enforce security. This unfortunately is research and involves APIs. By contrast I'm very uninterested in just how big the latest default public S3 bucket is or what's in it. We've established the principle, the rest is just haggling, and it isn't clear what a threat model that say "you might have very valuable resources with bad permissions due to configuration errors" does to inform protocol designers. It does seem we have quite a few perspectives on what's missing, and hopefully we can come to some sort of idea about commonalities/scoping. I've found the conversations rather illuminating as to the diversity of perspectives. Sincerely, Watson Ladd