What does ‘Security’ What does ‘Security’ mean for Ubiquitous mean for Ubiquitous

Applications?Applications?

Ross AndersonRoss Anderson

CambridgeCambridge

Outline of TalkOutline of Talk

Security can help to control technical Security can help to control technical complexity, by limiting interactioncomplexity, by limiting interaction

It can help control complexity of use - It can help control complexity of use - security usability will be a big growth areasecurity usability will be a big growth area

It is also about conflict - about tussles for It is also about conflict - about tussles for commercial control, user privacycommercial control, user privacy

First, let’s look at some ubiquitous First, let’s look at some ubiquitous applicationsapplications

Ubicomp (1) - Smart DustUbicomp (1) - Smart Dust

Thousands of motes deployed in a self-Thousands of motes deployed in a self-organizing network for surveillanceorganizing network for surveillance

This is in conflict with the interests of the party This is in conflict with the interests of the party under surveillanceunder surveillance

There may be capable opponents - enemies There may be capable opponents - enemies who deploy ‘black dust’ against your ‘white dust’who deploy ‘black dust’ against your ‘white dust’

Also privacy issues - e.g. if US law prevents Also privacy issues - e.g. if US law prevents monitoring US citizens without a warrantmonitoring US citizens without a warrant

Security partly ‘military’, partly regulatorySecurity partly ‘military’, partly regulatory

Ubicomp (2) - RFIDUbicomp (2) - RFID

Passive tags returning 128-bit unique IDPassive tags returning 128-bit unique ID Story about ‘refilling your fridge’ - but at heart, Story about ‘refilling your fridge’ - but at heart,

RFID is about controlling supply chainsRFID is about controlling supply chains US privacy row - can a third party scan not just US privacy row - can a third party scan not just

what you’re wearing but where you bought it, what you’re wearing but where you bought it, when and for how much?when and for how much?

Triggered widespread resistance - from trade-Triggered widespread resistance - from trade-policy wonks to fundamentalist Christianspolicy wonks to fundamentalist Christians

Serious political objection: RFID enables Serious political objection: RFID enables manufacturers to clamp down on grey market manufacturers to clamp down on grey market trading, in contravention of EU Single Markettrading, in contravention of EU Single Market

Ubicomp (3) - in the CarUbicomp (3) - in the Car

Latest cars have 40-50 CPUs, CANBUS, Latest cars have 40-50 CPUs, CANBUS, BluetoothBluetooth

Closest so far to Ubicomp ideal of computers Closest so far to Ubicomp ideal of computers embedded invisibly everywhere - with a serious embedded invisibly everywhere - with a serious attempt to make them usable, automatic etcattempt to make them usable, automatic etc

Growing problem of feature interaction - multiple Growing problem of feature interaction - multiple administrators / ‘owners’administrators / ‘owners’

Worries about platform vulnerabilityWorries about platform vulnerability From the privacy angle, the combination of GSM, From the privacy angle, the combination of GSM,

GPS, logging, road pricing and DRM is bad stuffGPS, logging, road pricing and DRM is bad stuff Also, issues with aftermarket controlAlso, issues with aftermarket control

Ubicomp (4) - The Digital HomeUbicomp (4) - The Digital Home

Vision (e.g. Toshiba U-home) - appliances talk Vision (e.g. Toshiba U-home) - appliances talk via UWB, 802.11, Bluetooth, IR, RFIDvia UWB, 802.11, Bluetooth, IR, RFID

Home gateway talks broadband to the worldHome gateway talks broadband to the world But trust management gets complex! But trust management gets complex! Issues of policy - multiple domains (do teens Issues of policy - multiple domains (do teens

have privacy from parents and/or vice-versa?)have privacy from parents and/or vice-versa?) Issues of practice - how do you mate the access Issues of practice - how do you mate the access

control /DRM systems of multiple platforms?control /DRM systems of multiple platforms? How can my mother manage all this stuff?How can my mother manage all this stuff?

A Possible FrameworkA Possible Framework

One machine - standard computability, One machine - standard computability, complexity theories; programming toolscomplexity theories; programming tools

One person - applied psychologyOne person - applied psychology One person, one machine: HCIOne person, one machine: HCI One machine, many people: access controlsOne machine, many people: access controls One person, many machines (or: many apps) - One person, many machines (or: many apps) -

feature interaction, conflict, more HCI issuesfeature interaction, conflict, more HCI issues Many people, many machines: more complexity, Many people, many machines: more complexity,

more conflict, affecting more and more sectorsmore conflict, affecting more and more sectors

How can the security How can the security engineer help?engineer help?

First goal: control system complexity from the First goal: control system complexity from the programmer’s viewpoint programmer’s viewpoint

Feature interaction is the fastest-growing source Feature interaction is the fastest-growing source of new problemsof new problems

We can help ensure that one application only We can help ensure that one application only interacts with another via the official interface interacts with another via the official interface (compartmented operating systems, ‘Trusted (compartmented operating systems, ‘Trusted Computing’)Computing’)

We can also help ensure that the application We can also help ensure that the application programming interface can’t be manipulated programming interface can’t be manipulated (API security - see my papers with Mike Bond)(API security - see my papers with Mike Bond)

VSM Attack (2000)VSM Attack (2000) Top-level crypto keys exchanged between banks in several Top-level crypto keys exchanged between banks in several

parts carried by separate couriers, which are recombined parts carried by separate couriers, which are recombined using the exclusive-OR functionusing the exclusive-OR function

SourceHSM

DestHSM

KP1

KP2

Repeat twice…

User->HSM : Generate Key ComponentHSM->Printer : KP1HSM->User : { KP1 }ZCMK

Combine components…

User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK

HSM->User : { KP1 xor KP2 }ZCMK

Repeat twice…

User->HSM : KP1

HSM->User : { KP1 }ZCMK

Combine components…

User->HSM : { KP1 }ZCMK ,{ KP2 }ZCMK

HSM->User : { KP1 xor KP2 }ZCMK

API attack: XOR To Null KeyAPI attack: XOR To Null Key A single operator could feed in the same part A single operator could feed in the same part

twice, which cancels out to produce an ‘all zeroes’ twice, which cancels out to produce an ‘all zeroes’ test key. PINs could be extracted in the clear using test key. PINs could be extracted in the clear using this keythis key

Other API manipulation attacks were found on Other API manipulation attacks were found on essentially all crypto processors on the market!essentially all crypto processors on the market!

Combine components…

User->HSM : { KP1 }ZCMK , { KP1 }ZCMK

HSM->User : { KP1 xor KP1 }ZCMK

KP1 xor KP1 = 0

New Research Problems?New Research Problems?

Turning TC / API security ideas into working Turning TC / API security ideas into working products will be non-trivialproducts will be non-trivial

Another black hole: maintainabilityAnother black hole: maintainability E.g. at present most security literature is about E.g. at present most security literature is about

bootstrapping into a secure state - once Alice bootstrapping into a secure state - once Alice and Bob share a key, we head for the pub!and Bob share a key, we head for the pub!

Bugs in products are not usually fixed - you are Bugs in products are not usually fixed - you are expected to buy a new mobile phone every year. expected to buy a new mobile phone every year. But this won’t work for air-conditioners!But this won’t work for air-conditioners!

More on MaintainabilityMore on Maintainability

Parallel: early software engineering work was on Parallel: early software engineering work was on producing large programs from scratch; now it’s producing large programs from scratch; now it’s about evolution. Theses are no longer written on about evolution. Theses are no longer written on the ‘waterfall model’ but on ‘extreme the ‘waterfall model’ but on ‘extreme programming’programming’

We have almost no literature on security We have almost no literature on security resilience, and on automatic recovery after resilience, and on automatic recovery after compromisecompromise

Our own tentative ideas: ‘Smart Trust for Smart Our own tentative ideas: ‘Smart Trust for Smart Dust’, Anderson, Chan and Perrig, ICNP 2004Dust’, Anderson, Chan and Perrig, ICNP 2004

But we will need much, much more!But we will need much, much more!

How can we help? (2)How can we help? (2)

Second goal: control system complexity from the Second goal: control system complexity from the user’s viewpointuser’s viewpoint

The current bottleneck is security usabilityThe current bottleneck is security usability It’s taken 30 years to come up with (barely It’s taken 30 years to come up with (barely

adequate) ways of managing the millions of bits adequate) ways of managing the millions of bits of security state in a typical companyof security state in a typical company

The home is more complex still!The home is more complex still! Meanwhile, consumers have difficulty with VCR Meanwhile, consumers have difficulty with VCR

programming and basic PC adminprogramming and basic PC admin

Ubicomp and UsabilityUbicomp and Usability

U-Vision - embedded devices will be easy to U-Vision - embedded devices will be easy to use, thus eliminating the PC’s frustrationsuse, thus eliminating the PC’s frustrations

More sober view (Odlyzko) - trade-off between More sober view (Odlyzko) - trade-off between flexibility and ease of use is different for different flexibility and ease of use is different for different users (and same user at different times/tasks)users (and same user at different times/tasks)

Norman’s ‘human-centered engineering’ Norman’s ‘human-centered engineering’ assumes mature products (a long way off!)assumes mature products (a long way off!)

‘‘We will still be frustrated, but at a higher We will still be frustrated, but at a higher level of functionality, and there will be level of functionality, and there will be more of us willing to be frustrated’more of us willing to be frustrated’

Odlyzko’s warningOdlyzko’s warning

Home environment is likely to be more Home environment is likely to be more complicated than today’s office complicated than today’s office environment, and home users generally environment, and home users generally less knowledgeable less knowledgeable

We may have to outsource the setup and We may have to outsource the setup and maintenance of home appliances to experts maintenance of home appliances to experts - that is, remote administration- that is, remote administration

Users given varying degrees of control, Users given varying degrees of control, ‘depending on skills and trustworthiness’‘depending on skills and trustworthiness’

We can already see the beginnings of this in We can already see the beginnings of this in mobile phone and car electronics marketsmobile phone and car electronics markets

Perils of Remote AdminPerils of Remote Admin

I just don’t want Bill running my home!I just don’t want Bill running my home! His competitors should like it even less!His competitors should like it even less! Even with open standards, there will be Even with open standards, there will be

severe tensions. Plumbing nightmares will severe tensions. Plumbing nightmares will be replaced by call-centre hellbe replaced by call-centre hell

Cynical view: if the equilibrium is set by Cynical view: if the equilibrium is set by customers’ frustration tolerance, more customers’ frustration tolerance, more usable systems means you can sell more usable systems means you can sell more stuff before this point is reachedstuff before this point is reached

Market Demand for Usability?Market Demand for Usability?

‘‘Microsoft has triumphed because it has Microsoft has triumphed because it has given us what we asked for: constant given us what we asked for: constant novelty coupled with acceptable novelty coupled with acceptable stability, rather than the other way stability, rather than the other way around. ... People talk simplicity but around. ... People talk simplicity but buy features and pay the buy features and pay the consequences. Complex features consequences. Complex features multiply hidden costs and erode both multiply hidden costs and erode both efficiency and simplicity.’ (E Tenner, efficiency and simplicity.’ (E Tenner, ‘The Microsoft We Deserve’, NYT)‘The Microsoft We Deserve’, NYT)

Usability and IncentivesUsability and Incentives

User sees his phone banking app not as a User sees his phone banking app not as a Vodafone thing but a Citibank thingVodafone thing but a Citibank thing

If it works, Citibank gets the creditIf it works, Citibank gets the credit If it doesn’t, Vodafone gets the blameIf it doesn’t, Vodafone gets the blame Incentives aren’t right for the app vendor Incentives aren’t right for the app vendor

or the platform vendoror the platform vendor Worse - there are half-a-dozen stages in Worse - there are half-a-dozen stages in

the supply chain. Who’ll do the work?the supply chain. Who’ll do the work?

The Right Abstractions?The Right Abstractions?

Roles, or groups?Roles, or groups? Brands?Brands? Locations? Locations? Other restrictions on state?Other restrictions on state? People? (biometrics, nyms?)People? (biometrics, nyms?) Directories, or file types?Directories, or file types? Machine owners, or file creators?Machine owners, or file creators? What does it mean to ‘lock the digital front door’?What does it mean to ‘lock the digital front door’?

Scientific challengeScientific challenge

Computer scientists have spent the last 50 years Computer scientists have spent the last 50 years building tools that help developers get a little bit building tools that help developers get a little bit further up the complexity mountainfurther up the complexity mountain

‘‘Risk thermostat’ - 30% of big projects fail, but Risk thermostat’ - 30% of big projects fail, but they are bigger projects each yearthey are bigger projects each year

But the complexity that now matters most, for But the complexity that now matters most, for building predictably dependable systems, is not building predictably dependable systems, is not from the CPU’s viewpoint but the brain ‘sfrom the CPU’s viewpoint but the brain ‘s

What should we design now instead of What should we design now instead of languages, compilers and CASE tools?languages, compilers and CASE tools?

The Broader AspectsThe Broader Aspects

As everyday objects acquire intelligence, it is as As everyday objects acquire intelligence, it is as if they are under magic spellsif they are under magic spells

Motorola’s phones have magic that stops them Motorola’s phones have magic that stops them working with other firms’ batteriesworking with other firms’ batteries

HP’s printers are under a spell that stops them HP’s printers are under a spell that stops them working with other firms’ inkworking with other firms’ ink

Microsoft’s new IRM stops Office documents Microsoft’s new IRM stops Office documents working with OpenOfficeworking with OpenOffice

Where will it end? How should governments Where will it end? How should governments regulate a world of magic spells?regulate a world of magic spells?

Economics of Information Economics of Information SecuritySecurity

Over the last four years, we have started to Over the last four years, we have started to apply economic analysis to information securityapply economic analysis to information security

Economic analysis often explains security failure Economic analysis often explains security failure better then technical analysis!better then technical analysis!

Information security mechanisms are used Information security mechanisms are used increasingly to support business models rather increasingly to support business models rather than to manage riskthan to manage risk

Economic analysis is also vital for the public Economic analysis is also vital for the public policy aspects of securitypolicy aspects of security

Traditional View of InfosecTraditional View of Infosec

People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – insecure because of lack of features – crypto, authentication, filteringcrypto, authentication, filtering

So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …

About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough

New View of InfosecNew View of Infosec

Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to

Bank customers suffer when bank systems allow Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when break privacy; Amazon’s website suffers when infected PCs attack itinfected PCs attack it

Security is often what economists call an Security is often what economists call an ‘externality’ – like environmental pollution‘externality’ – like environmental pollution

Security is also increasingly used to support Security is also increasingly used to support business models by locking in customers, tying business models by locking in customers, tying products etcproducts etc

Current Security Economics Current Security Economics Research TopicsResearch Topics

Understand differences between growing and mature Understand differences between growing and mature markets (bargains then rip-offs; security ignored then markets (bargains then rip-offs; security ignored then later used to lock in customers)later used to lock in customers)

Why do people say they value privacy but act as if they Why do people say they value privacy but act as if they don’t?don’t?

Do we spend too little on security, or too much?Do we spend too little on security, or too much? Where are the incentives misaligned, and why?Where are the incentives misaligned, and why? What’s the appropriate government policy?What’s the appropriate government policy? Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl

.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html

The Soft WorldThe Soft World

Effects of technology are always overestimated Effects of technology are always overestimated short-term but underestimated long-termshort-term but underestimated long-term

Putting CPUs and comms into every thing Putting CPUs and comms into every thing costing over a few bucks will change the worldcosting over a few bucks will change the world

Software will provide ever more of the valueSoftware will provide ever more of the value Many industries will become ever more like the Many industries will become ever more like the

software industrysoftware industry We’ll get the good (flexibility), the bad We’ll get the good (flexibility), the bad

(frustration) and the ugly (monopolies)(frustration) and the ugly (monopolies)

ConclusionsConclusions

Ubiquitous computing presents many security Ubiquitous computing presents many security research opportunitiesresearch opportunities

We can apply existing work in compartmented We can apply existing work in compartmented operating systems, API security, crypto etcoperating systems, API security, crypto etc

We face serious new challenges in security We face serious new challenges in security usability and in maintainabilityusability and in maintainability

Economic and policy aspects are also nontrivial - Economic and policy aspects are also nontrivial - security is a socio-technical systemsecurity is a socio-technical system

Understanding the interplay of technical, design Understanding the interplay of technical, design and policy issues is the really hard challengeand policy issues is the really hard challenge