
in #ooda7 years ago



本文原文链接为https://financialcryptography.com/mt/archives/000991.html ,由本号“EOS技术爱好者”翻译。





Why Security Modelling doesn't work -- the OODA loop of today's battle

为什么安全模型不起作用 - 今天战斗中的OODA循环



I've been watching a security modelling project for a while now, and aside from the internal trials & tribulations that any such project goes through, it occurs to me that there are explanations of why there should be doubts. Frequent readers of FC will know that we frequently challenge the old wisdom. E.g., a year ago I penned an explanation of why, for simple money reasons, you cannot build security into the business from the early days.


Another way of expressing this doubt surrounding Security Modelling is by reference to Col. Boyd's OODA loop. That stands for Observe, Orient, Decide, Act and it expresses Boyd's view of fighter combat. His thesis was that this was a loop of continuous cycles that characterised the fighter pilot's essential tactics.


Two things made it more sexy: firstly, as a loop, he was able to suggest that the pilot with the tighter OODA loop would turn inside the other. This was a powerful metaphor because turning inside the enemy in fighter combat is as basic as it gets; every schoolboy knew how Spitfires could turn inside Messerschmitt 109s, and thus was won the Battle of Britain.


Obviously things aren't quite so simple, but this made it easy to understand what Boyd was getting at. The second thing that made the concept sexy was that he then went on to show it applied to just about every form of combat. And, that's true: I recall from early soldiering lessons on soviet army doctrine, that the russkies could turn their defence into a counter-attack faster than our own army could turn our attack into a defence. At all unit sizes, the instructors pointed out.

很明显,事情并不是那么简单,但这让我们很容易理解 Boyd在做什么。第二个让这个概念变得迷人的是,他接着展示了它适用于任何形式的战斗。这是真的:我记得,从早期的士兵训练中,苏联人可以把他们的防御转变成反攻,比我们自己的军队更快地把我们的进攻转变成防御。教官指出,在所有的单位尺寸上(都可能实现)。

Taking a leaf from Sun Tzu's Art of War, the OODA loop concept may also be applied to other quasi-combat scenarios such as security and business. If we were to translate it to security modelling, we can break the process simply into four phases:

  • threat modelling

  • security modelling

  • architecture

  • implementation & deployment


  • 威胁模型

  • 安全模型

  • 架构

  • 实现和部署

To do it properly, each of these phases is important. You can't skip them, says the classical wisdom. We can agree with that, at a simple level. Which leaves us a problem: each of those phases costs time and effort.


A proper threat model for a medium sized project should take a month or so. A proper security model, I'd suggest 3 months and up. The other two phases are also 3 months and climbing, with overruns. So, for anything serious, we are talking a year, in total, for the project.


Now consider the attacker. Today's aggressor appears very fast. So-called 0-day viruses, month-long migration cycles, etc. A couple of days ago, there was this reportthat talked about the ability of Storm and Son-of-Storm's ability to migrate dynamically: "what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.”


Which means that the enemy is turning in his OODA loop in less than a month, sometimes as quickly as a day. Either way, the enemy today is turning faster than any security model-driven project is capable of doing.


What to do? Adolf Galland apocryphally told Reichsmarschall Göring that he could win the Battle of Britain with a squadron of Spitfires, but he was only behind by a few percentage points. In security terms we are looking at an order of magnitude, at least, which seems to lead to two possible conclusions: either your security model results in perfect security, there are no weaknesses, and it matters not how fast the enemy spins on his own dime. Or, classical security modelling is simply and utterly too slow to help in today's battle.

我们可以做些什么呢?Adolf Galland在一次听证会上告诉Reichsmarschall Goring,他原本可以用一个中队的喷火战斗机来打赢不列颠之战,但最后落后了几个百分点。在安全方面,我们至少观察在同一个量级上,这似乎可以得出两个可能的结论:要么你的安全模型带来完美的安全,不管敌人在自己身上转得多快,都无懈可击。或者,传统的安全模型只是因为太慢了而解决不了现在战斗的问题。

We need a new model. Now, this isn't to say "stop all security modelling." Even in the worst case, if the technique is completely outdated, it will remain a tremendously useful pedagogical discipline.


Instead, what I am suggesting is that the conventional wisdom doesn't hold scrutiny; something has to break. Whatever it is, security modelling is likely to have to change its practices and wisdoms, if it is to survive as the wisdom of the future.


Quite dramatically, indeed, as it possibly needs to achieve a 10-100 fold increase in its OODA loop performance in order to match the current enemy. In other words, a [revolution] (https://en.wikipedia.org/wiki/Messerschmitt_Me_262)in security thinking.




We are EOShenzhen










Coin Marketplace

STEEM 0.12
TRX 0.23
JST 0.030
BTC 78668.07
ETH 1866.87
USDT 1.00
SBD 0.81