Add to collection(s) Add to saved
  1. Science
  2. Biology
  3. Epidemiology

Emergent Vulnerabilities and Attacks: A Complex Threat Landscape

advertisement 
Emergent
Vulnerabilities And
Attacks: A complex
threat landscape
NATHANIEL HUSTED NHUSTED@INDIANA.EDU
INDIANA UNIVERSITY
Personal Introduction

PhD Candidate at Indiana University

Focus in “Security Informatics” from the School of Informatics and
Computing

Primarily interested in the intersection between Complex Systems
and Information Security

Other work includes applied cryptography and GPU programming

You can find other work by me at:


http://scholar.google.com/citations?hl=en&user=NtjDU-oAAAAJ
Involved in the Midwest Hacker Scene via Derbycon
(http://www.derbycon.com/)
Evolutions in devices and the
Internet are changing threats.


“Smart” Mobile devices are ubiquitous

Smartphones are now the dominant phone device in most developed
nations.

Their market share is growing rapidly in developing nations.
Our Internet usage behavior has changed.

No longer primarily “consumption” oriented

Far more “production” oriented
Evolutions in devices and the
Internet are changing threats.

We now generate far more personal and sensitive information.

We now carry all this sensitive information with us in a small box that
has a high-speed always-on Internet connection.

This small box is (generally) always on our person.

Our digital social interactions reflect our physical social interactions
far more then they used to.
The combination of social interaction, the physical world,
and the digital world, create a new threat landscape that
involves Emergent Vulnerabilities and Emergent Attacks.
Discussing Emergent Vulnerabilities
and Attacks
1.
I’ll start with definitions.
2.
I’ll explain the domain specific vocabulary from the definitions.
3.
We’ll return to the definitions after an understanding of the
vocabulary.
4.
We’ll talk about how emergent vulnerabilities and attacks effect
privacy.
Emergent Vulnerabilities

An emergent vulnerability is a property of a complex system that
causes one or more elements of that complex system, whether they
be software, hardware, or individuals, to enter in to a vulnerable
state if and only if that complex system is in an appropriate macroemergent state.

This is a modification of Bishop’s original definition of vulnerability [1]
Emergent Attacks


An emergent attack is one, or both, of the following:
1.
An attack whose outcomes exhibit emergent or self-organizing
properties.
2.
An attack that relies on self-organized collusion between attackers.
This is a modification of Bishop’s original definition of attack [1].
Required background vocabulary.
1.
Complex System
2.
Emergence and Macro-Emergent
3.
Self-Organization
What is a Complex System?

The focus of the discipline called Complex Systems.

It’s not the same as a “complicated” system.

Is known by many names:

Complex Adaptive Systems [2]

Complex Networks

Organized Complexity [3]
Organized Complexity according
to Warren Weaver.
“What makes an evening primrose open when it does?
Why does salt fail to satisfy thirst? Why can one particular
genetic strain of microorganisms synthesize within its minute
body a certain organic compounds that another strain of
the same organism cannot manufacture?”
Situating the definition of
Organized Complexity.

Best understood when situated between its sibling problem spaces:

Organized Simplicity


Organized Complexity


Solutions: Discrete mathematical
analysis.
???
Disorganized Complexity

Solutions: Statistical mechanics.
http://www.mcgeesmusings.
net/images/WeinbergTypesOfSystemsModesOfThou
ght.gif
A limited working definition for
Complex Systems.


Systems have the following:

Many agents each with a set of descriptive properties

The agents interact with one another

It exists in some environment
A Complex System is a system that exhibits the properties of
Organized Complexity in that it displays one or both of the following:
1.
Emergence
2.
Self-Organization
Examples of Complex Systems
http://peripateticeric.files.wordpress.com/2013/01/ants.jpg
http://www.fmsasg.com/SocialNetworkAnalysis/SocialNetworkAnalysis_Graph.gif
A Social Network
An Ant Colony
Emergence

A phenomenon where the dynamic behavior of a system’s
elements allow the system as a whole to exhibit a different and
novel behavior.
Emergence

De Wolf and Holvoet [4] provide 8 characteristics:
1.
The system must exhibit the micro-macro effect.
2.
The macro level behavior must be radically novel.
3.
The macro-emergent must exhibit coherence.
4.
The elements of a system must be able to interact.
5.
The system must change over time
6.
The system must not be centrally controlled
7.
There must be a two-way link between micro and macro behavior.
8.
The system must be robust and flexible.
Emergence: The Game Of Life
https://upload.wikimedia.org/wikipedia/commons/thum
b/e/e5/Gospers_glider_gun.gif/220pxGospers_glider_gun.gif

From four simple rules, novel behaviors emerge.
Self-Organization

A phenomenon where the dynamic behavior of a system’s
elements allow the system to organize itself with no exterior control.
Self-Organization

Self-Organization must meet five characteristics:
1.
There must be no external control.
2.
There must be some “measurable” increase in order over a period of
time.
3.
The system must be robust to changes.
4.
The elements must interact.
5.
There must be no global synchronization of signal passing.
Self-Organization: A School of Fish
http://www.kulfoto.com/pic/0001/0028/b/5OsVj27134.jpg

Fish organize based on the position of the nearest fish and potential
environment cues.
Dissecting the definition of
Emergent Vulnerability

An emergent vulnerability is a property of a complex system that
causes one or more elements of that complex system, whether they
be software, hardware, or individuals, to enter in to a vulnerable
state if and only if that complex system is in an appropriate macroemergent state.
Dissecting the definition of
Emergent Vulnerability: An Example

Example: A Wireless Tracking Network [6]

The Complex System: Individuals and their mobile devices

The Environment: A metropolitan area

The Interaction:

1.
General human mobility ( Commutes, Shopping, etc.)
2.
Detecting wireless signals when in range
The Vulnerable State: Given enough detectors in an area,
individuals can have their movements tracked a majority of the
time.
Dissecting the definition of
Emergent Vulnerability: An Example
Dissecting the definition of
Emergent Vulnerability: An Example
Dissecting the definition of
Emergent Attack

An emergent attack is one, or both, of the following:
1.
An attack whose outcomes exhibit emergent or self-organizing
properties.
2.
An attack that relies on self-organized collusion between attackers.
Dissecting the definition of
Emergent Attack: An Example

Example: The SoundComber prototype malware [5].

Complex System: A set of malicious application each having a very
simple behavior

Environment: Software ecosystem on a smartphone

The Interaction:


First application collects and processes audio data

Second application exfiltrates the data.
The Self-Organizing Behavior:

Malware split in to many autonomous parts that organize to exfiltrate
private data.
Dissecting the definition of
Emergent Attack: An Example
Mallory
Alice’s Smartphone
Android’s Audio Interface
Internet Access
Side Channel
Send out results
Analyze DTFM
Tones
Emergent Vulnerabilities and
Attacks as threats to privacy.

The naïve reason: Most modern attacks focus on stealing your PII

Their existences relies on social norms and interactions, thus tying
them to personal information and actions.
Why should we care about Emergent
Vulnerabilities and Attacks?

I’m aware of no work done to formalize them.

Some work as been done that demonstrates examples, but does
not use the terminology.


Sound Comber

Mobile Epidemiology
They are bound to show as mobile devices and constant networked
activity become the norm.
Conclusion

This work is expanded on in my dissertation

Follow my dissertation work in progress

http://www.cs.indiana.edu/~nhusted/dissertation.html

I recommend dissertating in the open!

Emergent Vulnerabilities and Attacks provide a foundational
paradigm in which to discuss threats that we will face in the future.

We must work on formalizing a set of techniques to analyze the
threat they pose.

Agent Based Modeling

Epidemiology

Provenance
Questions? Comments?
Citations
1.
Bishop, Matt. "Introduction to Computer Security." (2004).
2.
Holland, John H. "Complex adaptive systems." Daedalus 121.1 (1992):
17-30.
3.
Weaver, Warren. "Science and complexity." American scientist 36.4
(1948): 536-544.
4.
De Wolf, Tom, and Tom Holvoet. "Emergence versus self-organisation:
Different concepts but promising when combined." Engineering selforganising systems. Springer Berlin Heidelberg, 2005. 1-15.
5.
Schlegel, Roman, et al. "Soundcomber: A Stealthy and Context-Aware
Sound Trojan for Smartphones." NDSS. Vol. 11. 2011.
6.
Husted, Nathaniel, and Steven Myers. "Mobile location tracking in
metro areas: malnets and others." Proceedings of the 17th ACM
conference on Computer and communications security. ACM, 2010.
Related documents
Leadership discussion topics
Leadership discussion topics
The Role of HR in Planned and Emergent Change: the Same
The Role of HR in Planned and Emergent Change: the Same
Nelson Phillips Slides 1
Nelson Phillips Slides 1
State that multicellular organisms show emergent
State that multicellular organisms show emergent
Strategic Management 5e. (Hill & Jones)
Strategic Management 5e. (Hill & Jones)
Program Philosophies-Emergent Curriculum
Program Philosophies-Emergent Curriculum
Download
advertisement