Computer Security: The dilemma of fractal defence

Aren’t mathematical fractals just beautiful? The Mandelbrot set and the Julia set, the Sierpinski gasket, the Menger sponge, the Koch curve (see here)… Based on very simple mathematical rules, they quickly develop into a mosaic of facets slightly different from each other. More and more features appear the closer you zoom into a fractal and expose similar but not identical features of the overall picture.

 

Computer security is like these fractals, only much less pretty: simple at first glance, but increasingly complex and complicated when you look more closely at the details. The deeper you dig, the more and more possibilities open up for malicious people as the attack surface grows, just like that of “Koch’s snowflakes”, where the border length grows exponentially.

Consequently, the defensive perimeter also increases when we follow the bits and bytes layer by layer from their processing in the CPU, trickling up the software stack through the operating system via (network) protocols and APIs to user-friendly applications, up to the human “wetware” with his/her initial “Eureka”-type moment.

While this abstraction helps us make our life easier and hides the complexities of computer hardware and hardware-close computing languages, each layer adds up to form our defensive perimeter and makes any defence more difficult. The “higher” we move, the more difficult defence becomes, and the easier it is for an attacker to break in.

At the innermost layer, the CPU and RAM level, complexity makes the detection of sophisticated attacks impossible. Researchers for Google have shown recently how to manipulate RAM information by repeatedly flipping bits. Dissecting the chips in order to identify hardware manipulations doesn’t help us. We just have to assume that nobody has tampered with our hardware… (or have they?).

Moving up, software is known to be vulnerable! At the application and operating system layers, defence is even more difficult, as the number of lines of code (LOC) is huge. An early study stated that in each 1000 LOC, there are on average 10 to 20 defects (Steve McConnell in "Code Complete", 1993). Thus, bugs are discovered regularly; vulnerabilities are reported repeatedly. “Open source” software might be better in that respect, but still, who can scrutinise millions of lines of code? How do we ensure that the compiler doesn’t screw up (as exposed by Ken Thompson in “Reflections on Trusting Trust”)?

Interfaces (APIs) and protocols, the next layer of defence, are no better. Their code base is already enormous and prevalent everywhere. The Internet Protocol (IP) is just one example. The initial implementations of IPv4 were flawed, but at least many of its weaknesses were known and subsequently corrected. Now upcoming is IPv6 with no additional defences, unknown vulnerabilities, and the unfortunate guarantee that new bugs are introduced as old code is ported to IPv6.

And finally, attackers targeting us humans or our devices easily get through. Our human “defence” can be broken, either through persuasion, deception or assault on the victim. Being generally kind and sometimes naïve and convincing yourself to do what the attacker wants (“social engineering”) makes it easy to get past our defences. Attackers target the multiple devices we own nowadays, i.e. laptops, smartphones, tablets, by stealing or manipulating them…

Thus, welcome to the dilemma of fractal defence. We need you to help protect CERN! We should at least get the basic defences right:

  • Protect your computers: any unprotected computer connected to the Internet is likely to be infected within minutes. Keep your system up-to-date, use anti-virus software (provided for free by CERN), do not install untrusted software and lock your screen with a password when you leave your office.
 
  • Be careful with e-mail and the web as cybercriminals are trying to trick you. Stop - think - click: do not open unexpected or suspicious e-mails or attachments and do not install untrusted plug-ins.
 
  • Protect your passwords: exposing them might lead to abuse of your computing account. Never share your passwords with anybody. A good password should be hard to guess and not found in any dictionary. Do not reuse old passwords and have different ones for different purposes or for different sites. Change them all regularly as they might have been exposed without you knowing it.
 
  • Protect your data. Restrict access to your documents and folders, and follow the principle of least privilege: ensure that only people who need to access your files and data can do so. 


Finally, make “computer security” a small part of your daily life - here at CERN as well as at home! Try to subconsciously think of doing IT the secure way whenever you touch a keyboard, mouse or touchscreen. Remember that in the open academic environment of CERN, “computer security” has been delegated to you. You are, in the first instance, responsible for the security of the laptops, smartphones and PCs that you use, your accounts and passwords, your files and documents, the programs and applications you have installed or, particularly, those you have written, and the computer services and systems you manage. The Computer Security team is ready to help you assume this responsibility. Alternatively, you can turn to the IT department, which provides a multitude of secured computing services.


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team