.pn 0.ls1.EQdelim $$.EN.ev1.ps-2.vs-2.ev\&.sp 10.ps+4.ceCOMPUTER (IN)SECURITY \(em.sp.ceINFILTRATING OPEN SYSTEMS.ps-4.sp4.ceIan H. Witten.sp2.ce4Department of Computer ScienceThe University of Calgary2500 University Drive NWCalgary, Canada T2N 1N4.sp2.ce2November 1986Revised March 1987.bp 1.ls 2.ppShared computer systems today are astonishingly insecure.And users, on the whole, are blithely unaware of the weaknesses of thesystems in which they place \(em or rather, misplace \(em their trust.Taken literally, of course, it is meaningless to ``trust'' a computer systemas such, for machines are neither trustworthy nor untrustworthy;these are human qualities.In trusting a system one is effectively trusting all those who create andalter it, in other words, all who have access (whether licit orillicit).Security is a fundamentally \fIhuman\fP issue..ppThis article aims not to solve security problems but to raise readerconsciousnessof the multifarious cunning ways that systems can be infiltrated, and thesubtle but devastating damage that an unscrupulous infiltrator can wreak.It is comforting, but highly misleading, to imagine that technical means ofenforcing security have guaranteed that the systems we use are safe.It is true that in recent years some ingenious procedures have been inventedto preserve security.For example, the advent of ``one-way functions'' (explained below) hasallowed the password file, once a computer system's central stronghold, to besafely exposed to casual inspection by all and sundry.But despite these innovations, astonishing loopholes exist in practice..ppThere are manifest advantages in ensuring security by technical means ratherthan by keeping things secret.Not only do secrets leak, but as individuals change projects,join or leave the organization, become promoted and so on, they need to learnnew secrets and forget old ones.With physical locks one can issue and withdraw keys to reflect changingsecurity needs.But in computer systems, the keys constitute information which can be givenout but not taken back, because no-one can force people to forget.In practice, such secrets require considerable administration to maintainproperly.And in systems where security is maintained by tight control of information,.ulquis custodiet ipsos custodes\(em who will guard the guards themselves?.ppThere is a wide range of simple insecurities that manysystems suffer.These are, in the main, exacerbated in open systems where information andprograms are shared among users \(em just those features that characterizepleasant and productive working environments.The saboteur's basic tool is the Trojan horse,a widely trusted program which has been surreptitiously modified to dobad things in secret.``Bad things'' range from minor but rankling irritations through theft ofinformation to holding users to ransom.The inevitable fragilities of operating systems canbe exploited by constructing programs which behave in some ways like primitiveliving organisms.Programs can be written which spread bugs like an epidemic.They hide in binary code, effectively undetectable (because nobody everexamines binaries).They can remain dormant for months or years, perhaps quietly and imperceptiblyinfiltrating their way into the very depths of a system, then suddenly pounce,causing irreversible catastrophe.A clever and subtle bug\(dg can surviverecompilation despite the fact that there is no record of it in the sourceprogram..FN\(dg Throughout this article the word ``bug'' is meant to bring to mind aconcealed snooping device as in espionage, or a micro-organism carryingdisease as in biology, rather than an inadvertent programming error..EFThis is the ultimate parasite.It cannot be detected because it lives only in binary code.And yet it cannot be wiped out by recompiling the source program!We might wonder whether these techniques, which this article developsand explains in the context of multi-user timesharing operating systems,pose any threats to computer networks or even stand-alone micros..ppAlthough the potential has existed for decades, the possibility of the kind of``deviant'' software described here has been recognized only recently.Or has it?Probably some in the world of computer wizards and sorcerers have known foryears how systems can be silently, subtly infiltrated \(em and concealedthe information for fear that it might be misused (or for other reasons).But knowledge of the techniques is spreading nevertheless, and I believe itbehooves us all \(em professionals and amateurs alike \(em to understand justhow our continued successful use of computer systems hangs upon a thread oftrust.Those who are ignorant of the possibilities of sabotage can easily beunknowingly duped by an unscrupulous infiltrator..ppThe moral is simple.Computer security is a human business.One way of maintaining security is to keep things secret, trusting people(the very people who can do you most harm) not to tell.The alternative is to open up the system and rely on technical meansof ensuring security.But a system which is really ``open'' is also open to abuse.The more sharing and productive the environment, the more potential exists fordamage.You have to trust your fellow users, and educate yourself.If mutual trust is the cornerstone of computer security, we'd better know it!.sh "The trend towards openness".ppMany people believe that computer systems can maintain security notby keeping secrets but by clever technical mechanisms.Such devices include electronic locks and keys, and schemes for maintainingdifferent sets of ``permissions'' or ``privileges'' for each user.The epitome of this trend towards open systems is the well-known \s-2UNIX\s+2operating system, whose developers, Dennis Ritchie and Ken Thompson, stroveto design a clean, elegant piece of software that could be understood,maintained, and modified by users.(In 1983 they received the prestigious ACM Turing Award for their work.)  \cKen Thompson has been one of the prime contributors to our knowledge ofcomputer (in)security, and was responsible for much of the work described inthis article..ppThe most obvious sense in which the \s-2UNIX\s+2 systemis ``open'' is illustrated by looking at its password file.Yes, there is nothing to stop you from looking at this file!Each registered user has a line in it, and Figure\ 1 shows mine.It won't help you to impersonate me, however, because what it shows in thepassword field is not my password but a scrambled version of it.There is a program which computes encrypted passwords from plain ones, andthat is how the system checks my identity when I log in.But the program doesn't work in reverse \(em it's what is called a ``one-wayfunction'' (see Panel\ 1).It is effectively impossible to find the plain version from the encrypted one,even if you know exactly what the encryption procedure does and try to workcarefully backward through it.\fINobody\fR can recover my plain password from the information stored in thecomputer.If I forget it, not even the system manager can find out what it is.The best that can be done is to reset my password to some standard one, sothat I can log in and change it to a new secret password.(Needless to say this creates a window of opportunity for an imposter.)  \cThe system keeps no secrets.Only I do..ppBefore people knew about one-way functions, computer systems maintained apassword file which gave everyone's plain password for the login procedure toconsult.This was the prime target for anyone who tried tobreak security, and the bane of system managers because of thecompletely catastrophic nature of a leak.Systems which keep no secrets avoid an unnecessary Achilles heel..ppAnother sense in which \s-2UNIX\s+2 is ``open'' is the accessibility of itssource code.The software, written in the language "C", has been distributed(to universities) in source form so that maintenance can be done locally.The computer science research community has enjoyed numerous benefits fromthis enlightened policy (one is that we can actually look at some of thesecurity problems discussed in this article).Of course, in any other system there will inevitably be a large number ofpeople who have or have had access to the source code \(em even though it maynot be publicly accessible.Operating systems are highly complex pieces of technology, created by largeteams of people.A determined infiltrator may well be able to gain illicit access to sourcecode.Making it widely available has the very positive effect of bringing theproblems out into the open and offering them up for public scrutiny..ppWere it attainable, perfect secrecy would offer a high degree of security.Many people feel that technical innovations like one-way functions andopen password files provide comparable protection.The aim of this article is to show that this is a dangerous misconception.In practice, security is often severely compromised by people who haveintimate knowledge of the inner workings of the system \(em precisely thepeople you rely on to \fIprovide\fR the security.This does not cause problems in research laboratories because they arefounded on mutual trust and support.But in commercial environments, it is vital to be aware of any limitations onsecurity.We must face the fact thatin a hostile and complex world, computer security is best preserved bymaintaining secrecy..sh "A pot-pourri of security problems".ppHere are a few simple ways that security might be compromised..rh "Guessing a particular user's password."Whether your password is stored in a secret file or encrypted by a one-wayfunction first, it offers no protection if it can easily be guessed.This will be hard if it is chosen at random from a large enough set.But for a short sequence of characters from a restricted alphabet(like the lower-case letters), an imposter could easily try all possibilities.And in an open system which gives access to the password file and one-wayfunction, this can be done mechanically, by a program!.ppIn Figure\ 2, the number of different passwords is plotted against the lengthof the password, for several different sets of characters.For example, there are about ten million ($10 sup 7$) possibilities for a5-character password chosen from the lower-case letters.This may seem a lot, but if it takes 1\ msec to try each one, they can all besearched in about 3\ hours.If 5-character passwords are selected from the 62 alphanumerics, thereare more than 100 times as many and the search would take over 10\ days..ppTo make matters worse, people have a strong propensity to choose aspasswords such things as.LB.NPEnglish words.NPEnglish words spelled backwards.NPfirst names, last names, street names, city names.NPthe above with initial upper-case letters.NPvalid car license numbers.NProom numbers, social security numbers, telephone numbers, etc..LEOf course, this isn't particularly surprising since passwords have to bemnemonic in order to be remembered!But it makes it easy for an enterprising imposter to gather a substantialcollection of candidates (from dictionaries, mailing lists, etc) and searchthem for your password.At 1\ msec per possibility, it takes only 4\ minutes to search a 250,000-wordcommercial dictionary..ppA study some years ago of a collection of actual passwords that people used toprotect their accounts revealed the amazing breakdown reproduced in Figure\ 3.Most fell into one of the categories discussed, leaving lessthan 15% of passwords which were hard to guess.Where does your own password stand in the pie diagram?.rh "Finding any valid password."There is a big difference between finding a particular person's password andfinding a valid password for any user.You could start searching through the candidates noted above until you foundone which, when encrypted, matched one of the entries in the password file.That way you find the most vulnerable user, and there are almost certain to be