Re: Important Comments re: INtrusion Detection

["Steven M. Bellovin" <smb () research att com>]

At 10:14 AM 2/16/98 +1100, Darren Reed wrote:
> In some mail I received from Aleph One, sie wrote
> > On Sun, 15 Feb 1998, Steven M. Bellovin wrote:
> > > You're right about firewalls, but possibly wrong about non-proxy IDS's.
> > > A non-proxy IDS doesn't necessarily need a full stack, and hence wouldn't
> > > be vulnerable to bugs in one.  Suppose, for example, that a TCP segment
> > > with all flag bits on would make a given TCP fall over.  An IDS might
> > > or might not realize that such a packet was malicious.  But if it didn't
> > > use TCP to process it, it wouldn't be harmed.  Clearly, the more closely
> > > an IDS mimics the behavior of an end system, the more vulnerable it is.
> > > I made this point about firewalls with lots of proxies a few days ago --
> > > the more functionality you have, the more vulnerable you are.
> >
> > I see what you mean. I guess my point was the any network program that
> > accepts input from a possibly aggressive source may contains
vulnerabilities
> > in the code that processes such input. You are correct in that the
> > obviously complex task of implementing a TCP/IP stacks is one such process
> > with a greater chance of demonstrating such vulnerabilities but inasmuch
> > that a network intrusion detection system processes this type of input
> > they are at risk too.
>
> This raises the argument for using "secure" operating systems, which can
> potentially detect abnormal events in `sub-processes' which handle TCP,
> etc, and confine their ability to do damage.

Yes, but -- or, more properly, *BUT*.  A "secure" operating system --
and I suspect that you used quotes for the same reason I did -- would
indeed help.  *BUT* we need a new definition of security.

I've never seen a formal definition of "security" for a UNIX system.
Informally,
though, I'd say it's secure if a process operating as a non-privileged user
(and by that I mean not root, bin, lpr, uucp, daemon, etc.) can obtain access
to files that would not be permitted by a static examination of the state of
the file system at the start of the operation.  (There are lots of nits one
can
pick here, such as "what about the su command?"  Please don't bother -- this
is, as noted, an informal definition.)

"Orange Book" systems follow a formal model of security:  Bell-Lapadula.
It's arguable if that model is really useful in today's world; it's much
clearer that mandatory access controls don't add much to firewalls, and
probably not to intrusion detection systems.  

Can one come up with a suitable definition?  I don't know.  I'm fairly sure,
though, that it's not a trivial problem to come up with a definition
that's both suitable and useful.  (By "useless", I mean something like
"ignores all packets with the EVIL bit set"...)