Report on the 1996 Annual Computer Security Applications Conference (ACSAC)
by Jeremy Epstein


[Editor's note: Jeremy could not attend all of the sessions, so he cautions that these notes are incomplete -- in particular, none of the sessions after early afternoon on Thursday are covered. If you would like to make it more complete by sending me a note, please do, and I will update the Web version of this report. CEL]

The 12th Annual Computer Security Applications Conference (ACSAC) was held December 8-13 in San Diego CA. While the organizers put together an excellent conference, the weather was cold and rainy - exactly what most of us were hoping to escape! The first two days of the conference were devoted to tutorials, which I did not attend.

The keynote speech by David Keyes of the FBI described the Presidential Commission on Critical Information Infrastructure, its structure and goals. The commission (whose Web page www.pccip.gov should be operational by the end of the year) is chartered with making recommendations on protecting the national infrastructure and setting up an organization to carry out those recommendations. Most commission members (half of whom will be from private industry) have not yet been appointed, so real work has not yet started. A pointed questioner asked what would be accomplished by this commission other than a report, since others (e.g., "Computers at Risk") have already pointed out the problem, and there's been no action. Mr. Keyes said that this time there's a plan to get up an implementation organization, which will mean that the recommendations won't simply go on the shelf.

The distinguished lecturer was Dr. Roger Schell of Novell, whose talk was titled "The Internet Rules but the Emperor Has No Clothes". Dr. Schell is one of the earliest members of the security community, and is widely credited as "father of the Orange Book". Dr. Schell's thesis refers to the fairy tale "The Emperor's New Clothes", in which highly paid tailors accept large sums of money to create imaginary clothes, and everyone but a small child is afraid to tell the emperor. In that vein, Dr. Schell suggested that many of our solutions are elegant clothes for a naked emperor. He noted that while the problems change, the underlying security requirements do not, and high assurance systems are more necessary today than ever. Making users responsible for their own security assessments is akin to having them "performing their own brain surgery", Dr. Schell asserted. Third party assessments (such as those performed by the NCSC) are more valuable than ever. Dr. Schell pointed out that the "penetrate and patch" model of security didn't work in the past and still doesn't work today. Many recent innovations are dangerous; he called Java an "automatic malicious software distribution mechanism." Dr. Schell proposes that high assurance MLS is exactly what companies need to protect themselves from the Internet. He also criticized the Common Criteria (CC), which confuses the security field by providing unlimited numbers of incomparable security targets so users cannot compare products. Finally, he suggested that the CC has more than made up for the terseness of the TCSEC. In total, a thought provoking and provocative lecture.

The main body of the conference had two tracks. On Wednesday, both tracks were refereed papers and panels. On Thursday and Friday there was one refereed paper/panel track and a vendor presentations track.

Track A, late Wednesday morning

The "Security Engineering" session was chaired by Jody Heany of MITRE.

Andreas Sterbenz of the University of Graz (Austria) described the Java security model. His concern was not with bugs in implementation, but rather with the overall design. He proposed a four layer model with the language, virtual machine, runtime library, and runtime environment. Flaws in each of the layers can result in security violations, as the overall security architecture is quite fragile. In response to a question, he said that Microsoft's ActiveX uses signed applications, but he had no other information. He also said that the new version of Java due out in the spring adds digital signatures for applets, but doesn't solve the underlying weaknesses. An audience member added that Sun recently posted a Java security model on their Web page. The second paper in the session was "Implementing Security policy in a Large Defence Procurement" presented by Michael Nash of Gamma Secure Systems. He described the design and implementation of a very large integrated system for the Royal Air Force supplies and engineering. The system will have 35,000 users at 100 sites at a cost of about US$750M. Most information is either unclassified or restricted (less classified than U.S. Confidential). A small amount of information is Secret, and the system was design to process and protect both classified and unclassified data. After designing the system, they determined that very few users needed access to the classified data and that the classified data was static. As a result, they put the classified data on CDROMs and provide standalone machines to access it in those few locations where it is needed, rather than dealing with MLS problems. The final paper in the session, "An Authenticated Camera" was presented by Chris Hall from Counterpane Systems. The camera in question is a design but has not been built. It provides a digital signature of each picture including a hash of the image, the time and date, and the identity of the user taking the picture. Using a method similar to cipher block chaining prevents playback of images while omitting one or more from the sequence. They wanted a guarantee of location (so it would prove where the picture was taken), but this was impossible because GPS data isn't trusted (i.e., signed so as to prevent forgery). The camera cannot guarantee that what is in the picture is real (i.e., that the image is of an actual scene rather than of a prop). The design assumes that the camera can be protected from tampering. Other considerations are use of an accurate clock and feasible methods of authenticating to the camera (such as using a thumbprint).

Track A, early Wednesday afternoon

The "Secure Links" session was chaired by Ravi Sandhu.

Myong Kang of NRL presented the first paper, titled "A Case Study of Two NRL Pump Prototypes". The NRL pump is a secure one-way device that allows for information flow from low to high while maintaining performance and minimizing covert channels. Two versions of the pump were built: the E-pump (an event-driven pump) which is an application layer pump implemented as trusted software running on a Wang XTS-300, and the D-pump (a network pump) which was built on DOS as a transport layer pump. The focus of the talk was on comparing the two versions. The E-pump won't lose messages because it waits until the high application acknowledges receipt before discarding it, while the D-pump (because it operates at the transport layer) can only wait for acknowledgment by the receiving system. The D-pump performed better than the E-pump, since it was running on a system with much lower overhead. The authors concluded that the applications layer (not the transport layer) is the right place to build the pump, but that a more efficient high-assurance system is needed for the pump to be practical.

The second paper in the session was "Asymmetric Isolation" presented by John Davidson of Norex. Like the pump, this idea is a secure on-way device. Unlike the pump, there are no acknowledgments, and hence no potential for covert channels. By using a fiber optic cable, they were able to build the low-to-high channel using off the shelf parts, and gain a high degree of assurance that no information flows from high to low. Some configuration file manipulation was necessary to prevent confusing systems as to how to route packets. Several audience members pointed out that this approach means that the low system must self-throttle to avoid overrunning the high system, which could lead to the high system losing data.

The final paper in the session was "Starlight: Interactive Link" by Mark Anderson of the Australian Defence Science and Technology Organisation (DSTO). This paper, which won the "best paper award", described a hardware device and associated software that allow running windows of two classifications on an untrusted workstation running UNIX and X. The architecture is a high computer which displays the data and runs X applications, a low computer that runs X applications, and the Starlight device that connects the two computers. The keyboard and mouse are connected to the Starlight device, and the user selects whether the input should be treated as high or low using a physical switch (thus routing the input to the appropriate computer). A surrogate X server on the low machine allows X clients to run unmodified while passing information from low to high; a surrogate X client on the high machine allows the real X server at high to run unmodified with the low X clients. The system does not provide visible window labels, but a device attached to the monitor provides LEDs to indicate whether the user is operating at high or low.

Track A, late Thursday morning

The "Security Architecture" session was chaired by Emilie Siarkiewicz from Rome Laboratory.

The first paper, "Using Fortezza for Transparent File Encryption" presented by Jeremy Epstein of Cordant, described the design of the Assure product (a DOS/Windows security add-on) and how they used Fortezza to replace DES for transparent file encryption. Several of the Fortezza features that work well for message encryption (such as automatic creation of new initialization vectors whenever data is encrypted) make transparent file encryption very difficult to implement. The product uses a shadow file structure to hold Fortezza encryption keys and initialization vectors, which a questioner pointed out is fragile in the case of file system corruption.

The second paper, "An Extended Capability Architecture to Enforce Dynamic Access Control Policies" was not presented.

The third paper, "SIGMA: Security for Distributed Object Interoperability between Trusted and Untrusted Systems" was presented by Deborah Shands as neither of the authors was available. SIGMA is trying to facilitate MLS operations within the context of CORBA. The concept of a "multilevel enclave" introduced in the presentation drew some questions. Readers can find details on the project at the TIS web site under distributed systems research, at http://www.tis.com/docs/research/distributed/sigma.html

Track A, early Thursday afternoon

The "Firewalls" session was chaired by Jeremy Epstein of Cordant.

The first paper, "Operation Chain Link: The Deployment of a Firewall at Hanscom Air Force Base" was presented by Dan Vukelich (the author, Julie Connolly, was unable to attend due to a blizzard). The project started by surveying what network services were needed, and what the network security policy should be, which was termed "socializing the project". Using network monitors, they discovered several services that were being used that were not known. Before installing the firewall, it was staged in a lab using actual IP addresses, which helped find several problems before the system was turned on. After installation, they discovered several required services that hadn't been detected earlier because they were used rarely, and their use had not coincided with the monitoring period. Major concerns include ongoing maintenance due to personnel turnover, the presence of (unmonitored) communications to other military bases, and the presence of modem pools.

The second paper, "Mandatory Protection for Internet Server Software" was presented by Rick Smith of Secure Computing. Three different models of "mandatory" protection are proposed for firewalls: the change root (chroot) facility, traditional MAC, and type enforcement. Chroot allows creation of restricted portions of a file system that an application can run in, but doesn't control access to resources such as sockets. Some of the most popular firewalls, including Raptor, Gauntlet, and V-One appear to use chroot. MAC is much stronger than chroot, as it allows segregation of applications within the same computer. Cyberguard (and possibly other firewall products) use MAC as their primary protection mechanism. Type enforcement provides strict rules for what applications can do, and is claimed to be stronger than MAC. Secure Computing's Sidewinder is claimed as the only firewall using type enforcement. In response to a question about whether the type enforcement databases are difficult to configure securely, the author agreed that a head-to-head comparison would be useful. The author concluded by noting that it's depressing to think about Windows NT as the future, since it's not built to resist attack using mandatory controls.