| United States Worldwide |
|
| United States Worldwide |
|
Contrarian Minds: Whitfield DiffieThe secrets of strong security. By Al Riske 08.Jul.04--Sun's chief security officer, Whitfield Diffie, has been in the business a long time. The years show in the silvery gray of his long hair and beard, but not in his eyes. There's a twinkle in Diffie's eyes and a youthful sort of restlessness in the way he sometimes folds his legs up underneath himself to get comfortable as he talks. This is a man who first made a name for himself back in 1975 with the concept of public key cryptography, wrote an award-winning book called Privacy on the Line: The Politics of Wiretapping and Encryption, and spent much of the past decade arguing security issues with the U.S. government. "Whit Diffie has been a very public figure for all the right causes," Bruce Schneier, author of Applied Cryptography, said in a Computerworld article. "Few people have the kind of insights he does," Jim Bidzos, cofounder of RSA Laboratories, told Wired magazine. 
The elder statesman of cryptography, Diffie has been in the security fray for more than 30 years -- a contrarian voice in a hard and thankless business -- and yet there's that twinkle in his eyes. Why? Despite the prevalence of viruses, worms, Trojan horse programs, and denial-of-service attacks, Diffie sees light at the end of the tunnel -- and a competitive edge for Sun. "I'm optimistic that we are going to solve a lot of the secure computing problems in the next few years," he told the audience at Comdex earlier this year. More specifically, Diffie is optimistic about the prospects for secure computing environments -- he tries to avoid saying operating systems because he feels that narrow focus has been one reason for lack of success -- and he's happy to explain his thinking by way of anecdote, analogy, and the occasional literary allusion.
"We [the computer security community] have spent 30 years working on secure operating systems. It started about 1970, with the National Security Agency pouring billions of dollars into it. The whole program had tremendous ambition. "The plan was to have something called the reference monitor, that would manage all access of subjects (people and processes) to objects (data structures, windows, and files)." The general idea, Diffie says, was to create a system that could be shown to meet stringent specifications through a formal mathematical proof. "The cost of doing that was underestimated by a factor of a hundred or a thousand. Nobody, as far as I know, has ever succeeded in proving the correctness of anything other than toy programs or sample pieces of code," Diffie says. Aside from the high cost of proofs, there was another surprise: Nobody had fully anticipated the significance of covert channels within computers. 
"It's the kind of thing people do all the time in the real world. You don't let your children see certain people, so they call them. You don't let them call, so they pass notes through intermediaries at school. You stop them passing notes, so they put postcards up in their windows and read them with telescopes," Diffie says. "The real world is made up of all sorts of things of that kind -- they come up in spy cases and insider trading cases -- but it happens inside computer systems and networks as well." For example, Diffie says, two processes may not be allowed to communicate directly, but if one has to wait for the other, it can tell that something else is running and for how long. If the processes are cooperating, they can often exchange thousands of bits a second. The bottom line: building a secure operating system turned out to be a much harder problem than anyone anticipated. So why is Diffie optimistic?
For one thing, he says, we have cryptography now. "In 1970, when all this started, there was a lot less cryptography known, and the people in the U.S. who knew most of it were in NSA, which wanted cryptography to be secret." A quick anecdote illustrates his point. "I was invited by Vince Cerf, about 1977, to come to a meeting. The meeting wasn't secret, but all the other people but me had Top Secret clearances. They wanted somebody there who knew about cryptography, because NSA wouldn't provide any information about it -- and they were working on ARPAnet security." The important thing cryptography brings to computer security, Diffie says, is authenticatable descriptions. "You can describe the configuration of system or a network, and today you can sign it, because we have digital signatures. That means you can pass somebody a message that can be verified, a message that says: I looked at this network and it's running in such and such a configuration, so you can trust it to do this." Other reasons for optimism include the falling cost of hardware and the rise of networks. "Nobody seems to recognize that client-server computing, which Sun pioneered, is one of the great security developments of the late 20th century," Diffie says. "We like to talk about the reasons UNIX is secure. The great historical reason is, you had it in university computing centers where the students were doing their homework on the same computers on which the professors were keeping their grades. At least the professors' security motivation is obvious." 
Then, as the cost of computers dropped, it became feasible to put sensitive information on a server by itself. Why is that important? Diffie provides a simple analogy. "If there are a dozen of you living in the same room, you can't avoid undressing in front of each other. On the other hand, if you get a room each, you can change in private," he says. To illustrate the use of confinement in security, Diffie alludes to the book, The First Circle, in which Aleksandr Solzhenitsyn and a colleague are working on a secret Soviet cryptographic project. "It's not that they were vetted and given clearances. They were political prisoners. Their politics were all wrong, but the Soviets didn't have to trust them because they weren't going anywhere," Diffie says. "The Russians call such a prison laboratory a shirashka; in Java we call it a sandbox. You can go to a Web site you've never heard of, get some applet from it, bring it back and run it, and confine it so it can't hurt you," Diffie says. Managing many different servers is expensive, though, so Sun also offers large machines with hardware domains -- machinery for assigning processors and memory to processes -- which go a long way toward solving the covert channels problem. "You get the security characteristics of multiple machines," Diffie says, "with the cost characteristics of a single machine." Diffie notes that "Most people are too busy worrying about network security problems to notice how much networks have contributed to security." Just how important the rise of networks really is becomes clear when you realize that Sun's N1 architecture is about building computers out of networks. "From a security point of view, that's a big improvement on the traditional von Neumann architecture, because networks are all about controlling the flow of information," Diffie says. Dating back to computing's origins in the 1940s, von Neumann machines don't distinguish instructions from data. "If you take this in-many-ways-desirable view," Diffie says, "you shouldn't be shocked when you find someone executing the push-down stack as instructions." A computer that can't tell instructions from data can be tricked into executing programs that will damage it. 
"We have explicit protection against that in Sun machines," Diffie says, "but that weakness has been exploited a lot on the Internet." The final reason for Diffie's optimism has to do with the advent of new computer languages such as Java. "The natural state of a program is to be inscrutable, and if you can't tell what a program does, you can't trust it," Diffie says. "But in Java we have a language with certain characteristics built into it that discourage exactly the kind of security-critical errors that the C programming language encourages. All this business about buffer overflows -- C encourages making that mistake. Java makes it ... I hate to say impossible, but let us say virtually impossible." A key component of Java security is what's called byte-code verification. Simply put, when you import a Java applet, the byte-code verifier checks to see that the code you're about to run is actually the compilation a Java program, which means that all array references are guaranteed by the compiler or checked at run time. "This is analogous to a situation where you send somebody up to get an intelligence clearance and it's refused, not because there was anything derogatory in the person's dossier but because they couldn't investigate well enough.
"Perhaps the person spent too much time backpacking in central Europe in the late eighties. They have nothing against backpackers, but this person has been out of touch long enough to have been trained at a terrorist camp somewhere." By the same token, Diffie says, "If you have an arbitrary program, you can't tell anything about it, not even whether it's going to run forever or halt, but if you build the program environment explicitly to make some things more scrutable, you can do better." Byte-code verification can be carried further with something called proof-carrying code. 
"Imagine code arriving over the Internet. It presents its credentials and says, 'I can prove I don't eat children for breakfast; I rarely eat children for lunch.' You know: all these things you'd like to know about a program if you're going to invite it into your home," Diffie says. As a matter of fact, Sun is currently supporting research on proof-carrying code at Cornell and Princeton. One thing mutes Diffie's optimism. As science-fiction writer William Gibson put it: "The future is here. It's just not evenly distributed yet." "Security is something like that," Diffie says. "We now know how to build far more secure systems, but we can't reprogram everything in the world in the next five years." Nor will it be possible to replace all the hardware, though the hardware turns over more frequently than the code does. Hardware, however, will play an essential role in security. For example, Diffie says, "If you have a processor that doesn't have an export-key instruction, then no malicious piece of software is going to be able to get the key out." The ability to coordinate hardware and software gives Sun a unique advantage. Trusted Solaris is already the most secure general-purpose operating system available -- and that security will be placed on a newly solidified footing with the Solaris 10 Operating System. "By coordinating Solaris 10 containers with Sun Fire domains," Diffie says, "we can achieve unprecedented security." |
|
|||||||||||
