版權(quán)聲明：

以下內(nèi)容來(lái)自微信公共帳號(hào)“EOS技術(shù)愛好者”，搜索“EOSTechLover”即可訂閱，翻譯Lochaiching。轉(zhuǎn)載必須保留以上聲明。僅授權(quán)原文轉(zhuǎn)載。

本文原文鏈接為https://financialcryptography.com/mt/archives/000991.html ，由本號(hào)“EOS技術(shù)愛好者”翻譯。

近日，Ian重新提到關(guān)于安全模型的話題，發(fā)布內(nèi)容如下：

封面圖片

中文內(nèi)容即是：

“在兩年內(nèi)，針對(duì)公眾利益的主要攻擊，反工程師漏洞的次數(shù)從600萬(wàn)次降至不到一周?！?
OODA觀察導(dǎo)向決策是一種攻擊模型，也就是，如果你反應(yīng)快，你就贏了。

我們來(lái)看看11年前Ian寫的關(guān)于安全模型的思考。

Why Security Modelling doesn't work -- the OODA loop of today's battle

為什么安全模型不起作用 - 今天戰(zhàn)斗中的OODA循環(huán)

作者：iang

發(fā)布時(shí)間：2007-12-30

I've been watching a security modelling project for a while now, and aside from the internal trials & tribulations that any such project goes through, it occurs to me that there are explanations of why there should be doubts. Frequent readers of FC will know that we frequently challenge the old wisdom. E.g., a year ago I penned an explanation of why, for simple money reasons, you cannot build security into the business from the early days.

我觀察一個(gè)安全模型項(xiàng)目已經(jīng)有一段時(shí)間了，除了任何這樣的項(xiàng)目所經(jīng)歷的內(nèi)部考驗(yàn)和磨難之外，我突然想到為什么會(huì)有疑問(wèn)的解釋了。FC的長(zhǎng)期讀者會(huì)知道我們經(jīng)常挑戰(zhàn)傳統(tǒng)舊有的智慧。例如，一年前我寫了一個(gè)解釋，關(guān)于為什么在早期開始你不能因?yàn)楹?jiǎn)單的金錢原因，而為業(yè)務(wù)建立安全性。

Another way of expressing this doubt surrounding Security Modelling is by reference to Col. Boyd's OODA loop. That stands for Observe, Orient, Decide, Act and it expresses Boyd's view of fighter combat. His thesis was that this was a loop of continuous cycles that characterised the fighter pilot's essential tactics.

另一種表達(dá)對(duì)安全模型懷疑的方式是參照Boyd上校的OODA循環(huán)。它代表觀察、定位、決定、行動(dòng)，表達(dá)了Boyd對(duì)戰(zhàn)斗的看法。他的觀點(diǎn)是，連續(xù)循環(huán)的循環(huán)，是戰(zhàn)斗機(jī)飛行員的基本戰(zhàn)術(shù)特征。

Two things made it more sexy: firstly, as a loop, he was able to suggest that the pilot with the tighter OODA loop would turn inside the other. This was a powerful metaphor because turning inside the enemy in fighter combat is as basic as it gets; every schoolboy knew how Spitfires could turn inside Messerschmitt 109s, and thus was won the Battle of Britain.

有兩件事讓它顯得更加迷人：首先，作為一個(gè)循環(huán)，他能夠提出，采用更緊密的OODA循環(huán)的飛行員會(huì)在另一個(gè)內(nèi)部轉(zhuǎn)向。這是一個(gè)有力的比喻，因?yàn)樵趹?zhàn)斗機(jī)大戰(zhàn)中，讓敵人在戰(zhàn)斗中翻轉(zhuǎn)是基本功；每一個(gè)學(xué)生都知道，在Messerschmitt的109s里，噴火式戰(zhàn)斗機(jī)是怎樣贏得了英國(guó)的戰(zhàn)役的。

Obviously things aren't quite so simple, but this made it easy to understand what Boyd was getting at. The second thing that made the concept sexy was that he then went on to show it applied to just about every form of combat. And, that's true: I recall from early soldiering lessons on soviet army doctrine, that the russkies could turn their defence into a counter-attack faster than our own army could turn our attack into a defence. At all unit sizes, the instructors pointed out.

很明顯，事情并不是那么簡(jiǎn)單，但這讓我們很容易理解 Boyd在做什么。第二個(gè)讓這個(gè)概念變得迷人的是，他接著展示了它適用于任何形式的戰(zhàn)斗。這是真的：我記得，從早期的士兵訓(xùn)練中，蘇聯(lián)人可以把他們的防御轉(zhuǎn)變成反攻，比我們自己的軍隊(duì)更快地把我們的進(jìn)攻轉(zhuǎn)變成防御。教官指出，在所有的單位尺寸上（都可能實(shí)現(xiàn)）。

Taking a leaf from Sun Tzu's Art of War, the OODA loop concept may also be applied to other quasi-combat scenarios such as security and business. If we were to translate it to security modelling, we can break the process simply into four phases:

threat modelling
security modelling
architecture
implementation & deployment

從《孫子兵法》的角度看，OODA循環(huán)的概念也可以應(yīng)用于相似的競(jìng)爭(zhēng)場(chǎng)景，如安全與商業(yè)。如果我們將其轉(zhuǎn)化為安全模型，我們可以將過(guò)程簡(jiǎn)單地分為四個(gè)階段:

威脅模型
安全模型
架構(gòu)
實(shí)現(xiàn)和部署

To do it properly, each of these phases is important. You can't skip them, says the classical wisdom. We can agree with that, at a simple level. Which leaves us a problem: each of those phases costs time and effort.

要正確地做到這一點(diǎn)，每個(gè)階段都是重要的。普世智慧告訴我們，你不能跳過(guò)它們到下一步。我們暫且先同意這一點(diǎn)。這給我們帶來(lái)了一個(gè)問(wèn)題：每一個(gè)階段都需要花費(fèi)時(shí)間和精力。

A proper threat model for a medium sized project should take a month or so. A proper security model, I'd suggest 3 months and up. The other two phases are also 3 months and climbing, with overruns. So, for anything serious, we are talking a year, in total, for the project.

一個(gè)不錯(cuò)的中等規(guī)模的威脅模型需要一個(gè)月左右的時(shí)間。一個(gè)合適的安全模型，我建議花費(fèi)3個(gè)月以上。另外兩個(gè)階段也需要用到3個(gè)月和超支地持續(xù)付出。因此，對(duì)于任何嚴(yán)肅重要的問(wèn)題，整個(gè)項(xiàng)目我們需要討論的是一年。

Now consider the attacker. Today's aggressor appears very fast. So-called 0-day viruses, month-long migration cycles, etc. A couple of days ago, there was this reportthat talked about the ability of Storm and Son-of-Storm's ability to migrate dynamically: "what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.”

現(xiàn)在輪到考慮攻擊者這個(gè)角色了。目前看來(lái)，侵略者襲擊出現(xiàn)得讓人措手不及且速度很快。比如零日病毒，長(zhǎng)達(dá)一個(gè)月的遷移周期等等。幾天前，出現(xiàn)了一份報(bào)告討論了風(fēng)暴能力和Son-of-Storm動(dòng)態(tài)遷移的能力：“出現(xiàn)的是一組資深的專業(yè)軟件開發(fā)人員，從他們的錯(cuò)誤中吸取教訓(xùn)，每周改進(jìn)他們的代碼，并在這個(gè)過(guò)程中賺很多錢。”

Which means that the enemy is turning in his OODA loop in less than a month, sometimes as quickly as a day. Either way, the enemy today is turning faster than any security model-driven project is capable of doing.

也就是說(shuō)，敵人在不到一個(gè)月的時(shí)間里，就開始了他的OODA循環(huán)，快的時(shí)候甚至一天。不管怎樣，今天的敵人比任何安全模型驅(qū)動(dòng)的項(xiàng)目都要快。

What to do? Adolf Galland apocryphally told Reichsmarschall G?ring that he could win the Battle of Britain with a squadron of Spitfires, but he was only behind by a few percentage points. In security terms we are looking at an order of magnitude, at least, which seems to lead to two possible conclusions: either your security model results in perfect security, there are no weaknesses, and it matters not how fast the enemy spins on his own dime. Or, classical security modelling is simply and utterly too slow to help in today's battle.

我們可以做些什么呢?Adolf Galland在一次聽證會(huì)上告訴Reichsmarschall Goring，他原本可以用一個(gè)中隊(duì)的噴火戰(zhàn)斗機(jī)來(lái)打贏不列顛之戰(zhàn)，但最后落后了幾個(gè)百分點(diǎn)。在安全方面，我們至少觀察在同一個(gè)量級(jí)上，這似乎可以得出兩個(gè)可能的結(jié)論：要么你的安全模型帶來(lái)完美的安全，不管敵人在自己身上轉(zhuǎn)得多快，都無(wú)懈可擊?；蛘?，傳統(tǒng)的安全模型只是因?yàn)樘硕鉀Q不了現(xiàn)在戰(zhàn)斗的問(wèn)題。

We need a new model. Now, this isn't to say "stop all security modelling." Even in the worst case, if the technique is completely outdated, it will remain a tremendously useful pedagogical discipline.

我們需要一種新的模型。而對(duì)于目前來(lái)說(shuō)，這并不是說(shuō)“停止所有安全模型”。即使在最壞的情況下，技術(shù)完全過(guò)時(shí)，也仍然可以稱為一門非常有用的教學(xué)教材。

Instead, what I am suggesting is that the conventional wisdom doesn't hold scrutiny; something has to break. Whatever it is, security modelling is likely to have to change its practices and wisdoms, if it is to survive as the wisdom of the future.

相反，我想說(shuō)的是，流傳至今的智慧并沒有通過(guò)審查；有些東西到目前來(lái)說(shuō)不得不沖破往日枷鎖了。暫且不管它是什么，如果安全模型想作為未來(lái)的智慧而存在的話，很可能必須改變之前的實(shí)踐和智慧了。

Quite dramatically, indeed, as it possibly needs to achieve a 10-100 fold increase in its OODA loop performance in order to match the current enemy. In other words, a [revolution] (https://en.wikipedia.org/wiki/Messerschmitt_Me_262)in security thinking.

戲劇性的一點(diǎn)是，它可能需要將其OODA循環(huán)性能提高10-100倍，以匹配當(dāng)前的敵人。換句話說(shuō)，這是一場(chǎng)安全思考的革命。

本文圖片來(lái)自Twitter截圖

相關(guān)文章：

We are EOShenzhen

不同入口如何投票：
imToken
火幣
 portal

關(guān)于我們更多聯(lián)系：
Website：https://eoshenzhen.io

Steem：https://steemit.com/@eoshenzhen

Busy：https://busy.org/@eoshenzhen

Telegram：https://t.me/eoshenzhen

Twitter：https://twitter.com/eostechlover

簡(jiǎn)書：EOS技術(shù)愛好者

新浪微博：EOSTechLover