Inherently secure systems mitigate software supply chain attacks

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Roger R. Schell
 

Connecting state and local government leaders

By Roger R. Schell

|

Current futile efforts to keep an adversary out of a system can be replaced by a secure architecture that dramatically constrains the ability of an adversary who planted attacks inside a system to compromise sensitive information.

The supply chain cybersecurity problem can be solved with inherently secure engineering. Current futile efforts to keep an adversary out of a system can be replaced by a secure architecture that dramatically constrains the ability of an adversary who planted attacks (e.g., Trojan horses) inside a system to compromise sensitive information.  Below is a brief analysis of how a Trusted Computer System Evaluation Criteria (TCSEC) Class A1 operating system would solve the four specific cybersecurity vulnerabilities experts say were exploited in the SolarWinds attack. Even if implemented after such an attack, the properly configured Class A1 OS prevents exfiltration of information.

Vulnerability #1: Lack of a threat model for mitigating software subversion attack.  "I don't k-now of any organization that incorporates what a supply chain attack would look like in their environment from a threat modeling perspective," David Kennedy, former National Security Agency (NSA) hacker and founder of security consulting firm TrustedSec, told CSO. “This is not a discussion that's happening in security today.”

Class A1 OS solves this.  Addressing supply chain attacks is a raison d’etre for TCSEC Class A1. Because commercial OSs were developed by uncleared personnel, NSA created security criteria and evaluation procedures known as TCSEC Class A1. Class A1 is so rigorous that it would enable NSA to buy an OS from even the KGB (now the SVR), according to George Cotter, founding director of the National Computer Security Center. Class A1 substantially addresses subversion (SP 800-160), and TCSEC has at least eight specific requirements unique to Class A1 to defeat software subversion (i.e., supply chain) attacks.

Vulnerability #2: Pervasive impact on deployments due to a failure to keep the adversary out.  “An attacker could literally select any target that has their product deployed,” Kennedy said.

Class A1 OS solves this.  Pervasive mitigation from a single Class A1 device embodies a Class A1 OS with trusted distribution for wide availability.  Failure at a single installation (e.g., swapped Ethernet cables, or modification of hardware) does not invalidate the Class A1 device’s ability to defeat subversion for other deployments. 

Vulnerability #3: No security categorization for which to enforce mandatory access control policy.  “Not every user or device should be able to access any application or server on the network,” Kennedy continued. Exploiting the lack of categorization was key to the SolarWinds attack, however. The vague, mushy advice that “companies should try to put controls in place that would minimize the impact” the article advocates is hardly actionable mitigation.

Class A1 OS solves this.  Class A1 defines mandatory access controls with mathematical precision and is applicable to many specific categorization policies for users and devices such that it is scientifically possible to put in place systematically enforceable controls. A Class A1 device can be configured for the specific categorization policy of an infrastructure or deployment in a trustworthy and inspectable manner. This effort can benefit from the long-recognized need described in FIPS 199 “for categorizing federal information and information systems according to an agency's level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction.”  The MAC policy has a formal security policy model with a mathematical proof that no Trojan horse (no matter how ingeniously designed and surreptitiously inserted) can cause information flow in violation of the configured Class A1 OS policy.

Vulnerability #4: Cannot verify that no backdoor exists or remains.  “Software supply-chain attacks are some of the hardest type of threats to prevent,” CSO said.  “It's likely that the number of software supply-chain attacks will increase in the future, especially as other attackers see how successful and wide ranging they can be.” According to security expert and Harvard fellow Bruce Schneier, the only way to be sure a network is clean is “to burn it down to the ground and rebuild it.” Former homeland security adviser Thomas Bossert agreed. “A ‘do over’ is mandatory and entire new networks need to be built,” he wrote in the New York Times. To start over, however, would take decades and many billions, and there would be little basis for confidence that some clever adversary’s attack was not already somewhere in the massive attack surface of the rebuilt software.

Class A1 OS solves this. It renders previously implanted Trojan horses or "backdoors" that remain in application software incapable of exfiltrating data in violation of MAC it verifiably enforces. A Class A1 OS is also specifically designed and constructed so that evaluators can confirm that no backdoor or other malware exists in the OS itself. “The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable,” wrote Mark Heckman, professor of computer science and cyber security at University of San Diego. “Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction . . . repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed.” He is specifically talking about Class A1 OS.  Its maturity is demonstrated by at least a half dozen security kernel-based OSs running for years in the face of nation-state adversaries without a single reported security patch.  NIST 800-160 recently highlighted examples of “systems that have been verified to be highly resistant to penetration from determined adversaries.”

“The magnitude of this national security breach is hard to overstate,” Bossert said. But we should not be surprised by this sort of attack, as it is the nearly inevitable consequence of the lack of action for many years.  The concern for this eventuality was clearly stated by former NSA Director Lt. Gen. Lincoln Faurer in 2007 when he provided the following conclusion to seniors at NSA:

“Our team remains convinced that an IC disaster looms (e.g., we discover that an unfriendly state has obtained access to our most sensitive information) unless we proceed post haste to implement what NSA previously defined as a Class A1 Trusted Computing Base (TCB) in our sensitive network components and our electronic credentials. We believe the urgency of this need demands that the first set of solutions directly leverage the designs, architectures and rating maintenance plans which NSA has previously evaluated at the Class A1 level of assurance, as this is the only practical way to be confident the needed solutions can be operationally deployed in the next couple of years.”

NEXT STORY: Billions paid in phony unemployment claims in 2020, Labor IG reports

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.