Hello, Michael Weiss here. Nothing like having two Michaels around to confuse everyone. At least there are only two here. On a previous team, I was one of five Michaels.
Over the next several weeks, I’ll be posting a series of entries to help explain why I do what I do for the SDL team. Today marks the first of them. It’s a twofer, since the first part doesn’t fully make sense until you read the second part.
You Can’t Outrun the Bear
It’s a wild world out there. When you’re walking through the forest of the Internet, there are hungry bears all around you. The thing is, you can’t outrun the bear. Well, you can, but it’s very hard, not worth it, and not necessary, because you can avoid being eaten without having to outrun the bear in the first place. And contrary to popular belief, simply being faster than the other guy won’t necessarily protect you.
There are two ways you can avoid being eaten. The first is to have little meat, in which case your gross value is low. The other is to be fast enough that it would cost the bear more in energy to catch you than it would gain from eating you, in which case your gross cost is high. In either case, the bear makes a determination of your net value, that is, your gross value minus your gross cost. If the net value is positive, the bear chases you. If the net value is negative, the bear leaves you alone. This graph helps illustrate the point.
The blue line represents zero net value. As long as you are above the blue line, you have a negative net value so you’re safe; if you’re under the line, you have a positive net value so you’re dinner. In software, if you’re the green dot in the Dinner Zone, how can you move toward the Safe Zone? One way is to increase the gross cost to your attackers, by closing off the easy avenues of attack. The SDL was created to provide a mechanism to systematically do this.
While the SDL can move you toward the Safe Zone, it’s not necessarily going to get you all the way there. But that’s OK, because in the real world, you’re not the only bear food.
Let’s assume on this second graph that you are represented by the green dot, and some other potential target (your buddy, maybe?) is represented by the orange dot. You have a more secure system than him (your dot is higher up, costing the attacker more), so the orange dot person gets targeted instead of you. But what about that other person (represented by the red dot)? Sure, you have a more secure system, but you’re also a more valuable target (your dot is farther to the right). Since you’re farther from the blue line than the red person is, the attacker will go after you before working on the red person; you have a higher net value, despite having a higher gross cost.
In other words, just being more secure isn’t enough if you’re also a more valuable target.
Decreasing your gross value is rarely easy. For example, if you’re a bank, you could choose not to have any money. Willie Sutton would certainly lose interest in you. At the same time, your value as a bank is gone, too…hardly a sustainable business model. Besides, attackers rarely know exactly what they will gain from a successful attack on you. Sure, they might get control of your machine, but there’s no telling what’s on it. So, other than under extraordinary circumstances, they can at best make educated guesses. Put another way, attackers gamble based on their belief of your gross value.
In most cases, it takes far less effort to increase the attacker’s cost than to decrease your gross value. This is why most people will buy security systems for their homes before they give up the big flat-screen TVs. Applying the SDL and increasing the attackers’ costs, therefore, is a great way to protect yourself from those bears out there.
Based on what I said thus far, it’s easy to conclude that very few of us would be potential victims. After all, if you’re not a bank or some similar high-value target, you’re not worth attacking, right? Attackers have a weapon that deflates this argument.
Let’s Make a Deal
In the classic game show Let’s Make a Deal, host Monty Hall gave contestants a choice between keeping an existing prize or trading it for something hidden behind various doors. The contestant had to determine whether it was worth the gamble for an unknown prize.
An attacker would have to do the same, investing the same amount of time on the second victim as on the first, were it not for the magic of amortization. With amortization, an attacker can trade current assets (the investment of time, and maybe some equipment and/or money, to craft the attack) to open not only Door #1, but also Doors #2 through 1,000,000, collecting whatever is behind all of them. It’s an offer no contestant could refuse.
Let’s put this on the graph to see how amortization works.
So let’s assume you are still represented by the green dot, but note your new location. You’re easy to attack, but you’re not really valuable. On Let’s Make a Deal, this would be like giving up the diamond ring for a year’s supply of laundry detergent. Congratulations, you’re in the safe zone, so you don’t need to do anything, right?
Not necessarily. If the vulnerability that you have is shared with others, then the attacker can aggregate all of you at a very small increase in cost. To the attacker, all of the victims aggregate to a single high value at low cost. To the attacker, it’s trading the one diamond ring for a million years’ supply of laundry detergent. The attacker can open a store online to sell the excess and really clean up! Collectively, then, you are represented by the red dot…very high value in aggregate, at a small increase in cost over attacking you alone. So you’re not really in the safe zone at all. You’re deep in the danger zone!
A real world example of this is the use of vulnerabilities in Windows to create botnets. The same vulnerability existed on millions of machines, so even though a single bot is of sufficiently low value as to render the individual machine safe (i.e., where the green dot is), the low additional cost of applying that same attack to millions of machines made the attack worthwhile to an attacker. Collectively, the botnet is represented by the red dot.
But you don’t even need to have exactly the same software across multiple machines in order for amortization to work. An entire class of vulnerability, such as SQL injection, can benefit from amortization. So even if you write your own application, to be used in a single installation, on a singularly low-value machine, you can still find yourself a member of the collective dreaded red dot!
If you’re a member of such a group, increasing the cost to an attacker pays even bigger dividends. By applying the SDL, you can improve your security, pull you out of the group, and therefore move you up the graph. Furthermore, as you increase your differentiation from the herd, you become harder to aggregate, which (from the attacker’s perspective) moves you to the left as well. The rest of the group you left behind can be bear food.
So you can see that it’s not only unnecessary to outrun the bear, but it’s also not necessarily enough to be faster than the other guy. By applying a systematic, thorough approach to security, such as through the SDL, you can become hard enough to attack that you can significantly reduce your risk.