A Demonstration of the subversion threat : facing a critical responsibility in the defense of cyberspace
Loading...
Authors
Anderson, Emory A.
Subjects
Advisors
Irvine, Cynthia
Schell, Roger
Date of Issue
2002-03
Date
Publisher
Monterey, California. Naval Postgraduate School
Language
Abstract
This thesis demonstrates that it is reasonably easy to subvert an information system by inserting software artifices that would enable a knowledgeable attacker to obtain total and virtually undetectable control of the system. Recent security incidents are used to show that means, motive, and opportunity exist for an attack of this nature. Subversion is the most attractive option to the professional attacker willing to invest significant time and money to avoid detection and obtain a significant payoff. The objective here is to raise awareness of the risk posed by subversion so that the decision makers responsible for the security of information systems can make informed decisions. To this end, this work provides a complete demonstration of a subverted system. It is shown how a few lines of code can result in a very significant vulnerability. The responsibility to defend information systems cannot adequately be met without considering this threat. Addressing this threat gets to the very nature of the security problem, which requires proving the absence of something - namely, a malicious artifice. Several techniques for demonstrating security are shown to be inadequate in the face of this threat. Finally, a solution is presented with a proposal for future work.
Type
Thesis
Description
Series/Report No
Department
Computer Science
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
xii, 57 p. ;
Citation
Distribution Statement
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.