David Rogers continues his blog series on cybersecurity and the lessons we can apply to future security from history.
The city walls of York
Source: David Rogers
In my previous blog, I talked about how expensive defences can be subverted by a determined and clever adversary. This time I continue the theme of access, but consider the problem of confusion.
In considering the story in the last blog, I was thinking about whether the carpenter’s entry into Conwy Castle should be classed as (what is known in the technology world as a) ‘confused deputy attack’ (it isn’t). This type of attack often happens in web applications in cross-site request forgery (CSRF) attacks in order to confuse the browser, as the agent of the attacker, into getting a website to do something it shouldn’t.
Keeping enemies out
Another example from history can better explain the concept of a confused deputy attack. Firstly, a bit of background. There are many stories in the UK of historic laws and bylaws that stem from medieval times that give an insight into how towns controlled access from people who they would consider to be “enemies”. Some of these are true and others are mere rumour. For example:
- “Welsh people were allowed to enter the towns by day but kept out at night and forbidden to either trade or carry weapons”
- “In the city of York, it is legal to murder a Scotsman within the ancient city walls, but only if he is carrying a bow and arrow”
- “In Carlisle, any Scot found wandering around may be whipped or jailed”
- “Welshmen are prohibited from entering Chester before the sun rises – and have to leave again before the sun goes down”
- “It is still technically okay to shoot a Welshman on a Sunday inside the city walls – as long as it’s after midnight and with a crossbow”
As a note – the law commission looked into some of these stories and clarifies that:
“It is illegal to shoot a Welsh or Scottish (or any other) person regardless of the day, location or choice of weaponry. The idea that it may once have been allowed in Chester appears to arise from a reputed City Ordinance of 1403, passed in response to the Glyndŵr Rising, and imposing a curfew on Welshmen in the city. However, it is not even clear that this Ordinance ever existed. Sources for the other cities are unclear.”
In York however (a northern English city which was walled to keep the Scots out), we do know that at the Bootham Bar, an entrance to the city, a door knocker was installed in 1501. Scotsmen who wanted to enter the city had to knock first and ask for permission from the Lord Mayor.
The confused deputy
We have to assume that the Lord Mayor himself was not there all the time to give permission in person and delegated the authority for checking whether someone could come in to the guards. The guards still had to come to him for sign-off though.
This is where we can explain the concept of the confused deputy more clearly. Imagine that there is a Scottish attacker who wants to get into York to cause some damage. He’s knocked on the Bootham Bar gate door knocker and convinced the guards he’s authorized because he tells them he’s there to do work (he succeeds in confusing them – they become the confused deputy, conferring trust on the Scotsman where there should be none). However, our attacker still has to gain authority – through the Lord Mayor himself.
The guards carry the message to the Lord Mayor that the Scotsman is legitimate and should be allowed to enter. The Lord Mayor assumes trust and authorizes our Scotsman to enter the city to do work.
The attacker didn’t need to convince the Lord Mayor at all, all he had to do was convince the guards and use them to gain the authority he wanted. The Lord Mayor trusted his guards, but wouldn’t trust the attacker – however he’ll never see him. This is how some website and technology attacks work, by escalating the privilege level of access via an unwitting, trusted agent. To avoid this, additional measures need to be in place for the Lord Mayor to independently validate that the Scotsman is not actually an attacker, before providing further authority to him.
One concern about chip-level attacks is that the vast majority of the communications inside the chip are not integrity checked or validated in any way. An attacker can abuse existing authorities to gain trust in other parts of the system. Changing this is going to be a long-term task for the industry as attacks become more sophisticated. In the meantime, we need to put in measures to be on guard and look for unusual activity going on, rather than automatically assuming everything within the ‘city’ is trusted; perhaps the technological equivalent of using a bow and arrow after sundown.
The next blog in the series considers what should happen when an anomaly is detected.
You may also be interested in joining our forthcoming webinar, co-hosted by David Rogers and UltraSoC CSO Aileen Ryan, on ‘The Future of Hardware Security – How history can help’, on 20th November 2019. Please click here to find out more and to register your place.