Dan Kaminsky is challenging the information security world to move past the assumption that there is an inherent tradeoff between security and performance.
During his keynote at the Black Hat security conference Wednesday, the chief scientist for White Ops Security called on researchers, engineers and lawmakers to rethink what is possible with the internet and work toward making things work simpler and more secure at the same time.
“We need to fix this stuff or we’re going to lose it,” Kaminsky told FedScoop during a preview of his address earlier this week. “I think a lot of it comes from a perception of nihilism, that there’s nothing we can do to make things better. I’m out to prove everyone wrong or give people some hope that there are actually technologies and approaches and work that can be done here.”
Kaminsky, best known for his work related to uncovering a large flaw in the domain name system hierarchy, highlighted a number of high-level projects he has been working on over the past year that take security and performance into account.
One is IronFrame, a web browser modification that allows users to safely interact with e-commerce or online payment systems without the need for third-party authentication platforms like OAuth.
With protocols like OAuth, “you go to buy something with PayPal, and then you have to log in to Google, so you have to go to Google,” Kaminsky said. “This is actually terrible design and everybody knows it. The only reason we do it is because it’s horrifyingly insecure if there is just a button you could press on a webpage that could process money.”
Kaminsky’s IronFrame project led him experiment with developing Autoclave, a security-focused browser that could be accessed via the cloud, giving users the ability to have a secure web experience without sacrificing performance.
“You go to the cloud in your browser, and inside that one, another [browser] pops up, and that’s the browser you actually use,” he said. “The big question I had is how in the heck do I do this safely. If I am giving people a browser, I’m basically giving people an entire computer to own.”
In the process of figuring out whether this cloud-based browser could be safe, Kaminsky wrestled with whether he could keep the virtual machines his browser was running on from hacking each other.
“Nobody has had a good answer to this question, and it’s an important question,” he said. “And what I realized is that I don’t have a good answer either.”
Through trial and error, Kaminsky found a way to run a Chrome browser in a Docker container, which is then running in a tightly configured virtual machine. The result was a Chrome instance that took very little code to run (the Google-run browser is notorious for taking up too much physical memory) while also preventing malicious actors from messing with the virtual infrastructure the browser sits on.
“It works the same, it develops the same, it’s exposed to the users the same, it’s close to the same performance, but it uses almost nothing,” Kaminsky said. “The reason that is, is because the Docker environment gets a kernel, but it gets its own kernel. I assume that the kernel will get hacked, and moment the hacker tries to do anything [to the Chrome virtual browser], the hacker is going to hit the jail cell.”
Moving away from ‘machine learning’
Another facet of security engineering Kaminsky wants to change is the perceived stigma surrounding “machine learning” — computers that are designed to make predictions based on massive amounts of data. While engineers, developers and researchers know the power that lies behind the practice, Kaminsky said that when the general public hears the term, it’s indicative of a dystopian scenario ripped out of some cyberpunk novel.
“People hear machine learning and say, ‘I don’t want a machine to be better than me at learning,’” he said. “Skynet! A.I.! Terminators going down the street! Don’t name something in a way that makes people think they are going to die.”
Kaminsky, who would rather refer to machine learning as “automated statistics,” says this practice needs to be simplified for users. He built his own engine that he hopes can one day evolve into just a button in Microsoft Excel that crunches data in the same way people use Hadoop clusters or visualization programs like Palantir or Tableau.
“All of [machine learning documentation] is written for other practitioners of machine learning that are focused on ‘How do I make an algorithm that makes the best predictions based on known data?’” Kaminsky said. “This is a different problem than what actual users have. Experts and users have totally different demands on their own field.”
Implementing machine learning into Excel could have benefits for security engineers, Kaminsky said.
“We have a lot more data than we know what to do with,” he said. “Maybe the computer can figure it out. Even in development, there is a bunch of times where you’d like to know ‘OK I need to reserve memory. How much? I don’t know.’ Well, if only there was a convenient piece of software that would take whatever data was lying around and try to predict the value you were looking for. If only that was a fundamental service of operating systems.”
Beyond the Code
Outside of rethinking technical approaches, Kaminsky said changing the way in which the security community and the federal government operate needs to change if things are going to improve. He points to the encryption debate as a prime example of how things have gone from caustic to what he calls “bizarre.”
“When I go out to D.C., people are speaking about the encryption debate as security vs. privacy,’ he said. Security experts ‘are lumped in as these privacy nuts and ‘security’ is somehow redefined as America’s ability to hack into whatever it wants. The debate about encryption is taking the oxygen away from what are we actually going to do to make this communication medium and economic engine still run.”
He is a big proponent of the model in which the government would set up a research wing for cybersecurity, similar to the role that the National Institutes of Health serves for medicine.
“We don’t have ‘the guy’ who works on cancer,” he said. “We have institutes, and organizations, and budgets, and plans.”
Beyond medicine, Kaminsky said this current moment in history is reminiscent of the early 20th century era where people worked to prevent fires from decimating sections of large cities.
“We didn’t stop cities from burning by making fire illegal,” he said. “We did the engineering. We figured out building codes. There’s developers, people teach them things, they learn best practices and you want the output to be safe, secure and usable.”
“There’s a bunch of things you want. So figure out how to actually get that,” he continued. “We do a lot of saying, ‘You should just do it that way.’ No! Let’s find out! This is one of the most important sectors of our economy. We need much more organized and hopeful research.”