BOX 2.4

Possible Points of Vulnerability in Information Technology Systems and Networks

An information technology system or network has many places where an operationally exploitable vulnerability can be found; in principle, a completely justifiable trust in the system can be found only in environments that are completely under the control of the party who cares most about the security of the system. As discussed here, the environment consists of many things—all of which must be under the interested party’s control.

The software is the most obvious set of vulnerabilities. In a running operating system or application, exploitable vulnerabilities may be present as the result of faulty program design or implementation, and viruses or worms may be introduced when the system or network comes in electronic contact with a hostile source. But there are more subtle paths by which vulnerabilities can be introduced as well. For example, compilers are used to generate object code from source code. The compiler itself must be secure, for it could introduce object code that subversively and subtly modifies the functionality represented in the source code. A particular sequence of instructions could exploit an obscure and poorly known characteristic of hardware functioning, which means that programmers well versed in minute behavioral details of the machine on which the code will be running could introduce functionality that would likely go undetected in any review of the code.

The hardware constitutes another set of vulnerabilities, although less attention is usually paid to hardware in this regard. Hardware includes microprocessors, microcontrollers, firmware, circuit boards, power supplies, peripherals such as printers or scanners, storage devices, and communications equipment such as network cards. On the one hand, hardware is physical, so tampering with these components requires physical access at some point in the hardware’s life cycle, which may be difficult to obtain. On the other hand, hardware is difficult to inspect, so hardware compromises are hard to detect. Consider, for example, that graphics display cards often have onboard processors and memory that can support an execution stream entirely separate from that running on a system’s “main” processor. Also, peripheral devices, often with their own microprocessor controllers and programs, can engage in bidirectional communications with their hosts, providing a possible vector for outside influence. And, of course, many systems rely on a field-upgradable read-only memory (ROM) chip to support a boot sequence—and corrupted or compromised ROMs could prove harmful in many situations.

The communications channels between the system or network and the “outside” world present another set of vulnerabilities. In general, a system that does not interact with anyone is secure, but it is also largely useless. Thus, communications of some sort must be established, and those channels can be compromised—for example, by spoofing (an adversary pretends to be the “authorized” system), by jamming (an adversary denies access to anyone else), or by eavesdropping (an adversary obtains information intended to be confidential).

Operators and users present a particularly challenging set of vulnerabilities. Both can be compromised through blackmail or extortion. Or, untrustworthy operators and users can be planted as spies. But users can also be tricked into actions that compromise security. For example, in one recent exploit, a red team used inexpensive universal serial bus (USB) flash drives to penetrate an organization’s



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement