Beyond Thin Clients: Limiting Cybersecurity VulnerabilitiesSeptember 2012
Topics: Computer Security, Information Security Risk Management, Network Security, Cloud Computing, Safeguard and Secure Cyberspace
In August 2011 security researchers uncovered cyber thieves using the Zeus Trojan to steal online banking credentials. The hackers illegally transferred thousands of dollars at a time totaling nearly 1 million dollars over the course of a month. Since attacking the bank directly is difficult, the criminals targeted the weakest link in the chain: the customers. Research at MITRE on Secure Remote Peripheral Encryption Tunnels (SeRPEnT) could make it extremely difficult for attackers to be so lucky, with huge potential benefit to government sponsors facing similar challenges.
Increasingly, cyber adversaries have been targeting customer systems for the same reasons that make client systems a powerful and useful tool. Their feature-rich environment is so complex it presents hackers with multiple points of vulnerability. Securing client systems is a never-ending challenge because designers are constantly adding new features and capabilities to them. And users interact with servers all around the world, offering hackers many doors to sneak through.
Traditionally, security engineers focused their efforts on securing the servers that hosted the information cyber thieves were after. The limited scope of server capabilities—system administrators do not browse the Web or read email on their servers—limits the entry points for a cyber-attack. However, servers need to interact with their users. This connection between the server and the user, the connection where the client system resides, is where cyber criminals have shifted their attack.
As the complexity of client systems grows, so do their vulnerability. Client systems often host so many capabilities that it becomes impossible for security system designers to test and secure every combination of software interaction. Security experts describe a client system with a complex software interface as "having a large attack surface." Like a battleship, the more expansive a system is, the more "armor" it needs to protect every weakness. Limited developer resources might mean that the armor is stretched very thinly at some junctures. Add too much armor, however, and the system loses agility.
Cloud computing offers some promise for reducing a client system's attack surface and the resources needed to secure it.
With cloud computing, data is stored in a third-party server (much like mainframe computing worked in the past). The client system for a cloud server could be designed with minimal complexity—a "thin" clientmaking for a minimal attack surface. However, most users have "thick" clients driven by the decreased cost of owning powerful computers. Transforming a thick client into a thin client for the short duration of accessing a cloud service can be a huge win. Making that attack surface thinner than a thin client's would be even better.
Researchers, including those at MITRE, are investigating new kinds of thin-client technologies. We thought about what components of the thick client would need to be trustworthy for most uses, and then we designed an external hardware system to supply those components. SeRPEnT extends the minimal attack surface of the thin client from the server all the way to the fingertips of the user. Normally when a computer joins a computer network, it brings everything but the kitchen sink. Instead, SeRPEnT allows just the necessary components into the fold. SeRPEnT's tunnel has a very limited attack surface compared to the client computer, even at its open end where the user sits. Users plug their input devices into SeRPEnT, which then provides a trusted path to the server.
To improve client system security, we adopt a "small-surface" philosophy—compartmentalizing systems into smaller subsystems and securing them independently. That way a security breach in one subsystem does not compromise the whole system. So instead of trying to secure the system as a whole, you can separate it into individually secured parts. Then when users want to interact with outside services, they are risking only a small part of their system in the connection.
Following the small-surface philosophy, MITRE's goal is to fundamentally redesign the way servers interact with client systems. By creating a much smaller attack surface and stretching the capabilities of a limited set of client system functions, SeRPEnT sends data where the user wants, not where a cyber adversary wants. As companies such as Google and Facebook experiment with customers using their cell phones—which hold a vast amount of personal data—as portable client systems, keeping hackers at bay will become more crucial than ever.
—by Scott Dyer and David Weinstein