Investigating Security Failures and their Causes: An Analytic Approach to Computer Security (thesis)

Abstract:

This dissertation examines security failures in three classes of systems: compact disc (CD)
audio recordings containing digital rights management (DRM), touch-screen electronic
voting machines, and on-the-fly disk encryption software. In each case, we study a variety
of implementations developed by different parties; we analyze their security and discover a
range of security flaws, including several entirely new categories of attacks; and we propose
new mitigations and defenses for protecting related systems. Each of these studies has
already had significant real-world impact, and we extend them with a new methodology for
studying the underlying causes of security failures and drawing broader lessons for users,
developers, researchers, and policymakers.

We begin with CD-DRM systems—security mechanisms for audio CDs that are designed
to limit copying and other uses of the music. In the course of tracing the evolution of
these technologies over three generations, we discover a range of new attacks, including
numerous ways that attackers could bypass the anticopying measures and ways that disc
producers could free-ride on other vendors’ copy-protection systems to receive the benefits
without paying. We demonstrate a new class of threats, collateral damage to the security
of CD-owners’ PCs, and argue that they are an inherent risk of DRM. We discuss additional
factors that led to these failures, including differences between the incentives of CD-DRM
vendors and their record-label customers.

Next, we turn our attention to electronic voting systems, specifically touch-screen direct
recording electronic (DRE) voting machines. We perform a detailed security evaluation of
two similar implementations, the Diebold AccuVote-TS and AccuVote-TSX, applying both
reverse engineering and source code review to reveal security flaws. We show how attackers
could exploit these flaws to tamper with election results or disrupt the voting process, and we
demonstrate a dangerous new attack vector, voting machine viruses. We compare security
problems uncovered in other DRE voting machines to suggest common causes and threats,
including failures in voting machine certification procedures and incentives that rewarded
features and time-to-market over robustness and security.

Finally, we demonstrate new threats to the security of on-the-fly disk encryption software,
which is designed to protect confidential data against an attacker who gains physical access
to the computer. We conduct a series of experiments to investigate memory remanence
in dynamic RAMs, a phenomenon largely unknown to security research that causes data
in RAM to remain intact for a short time after the memory chips lose power. Attackers
can exploit this effect to bypass operating system security and recover sensitive memory
contents, such as encryption keys. We demonstrate how this would allow an attacker to
defeat most popular disk-encryption products. We discuss how the widespread ignorance
of this basic hardware behavior relates to abstraction, a fundamental computer engineering
principle, and suggest other abstractions that might similarly conceal security threats.

In all three studies we apply new methodology that combines causal analysis with security
engineering. We adopt the concept of informative causes of failure to organize and
direct our investigations. In the pursuit of causes, we compare security flaws across different
implementations to find supporting evidence in suggestive patterns of failures. Like the
search for flaws, the search for causes seems resistant to thorough systematization, but it
has been a useful tool for guiding us to the broader lessons of these security failures.