Saturday, December 31, 2005

Why we can't trust NGSCB

Microsoft is working hard to secure computing, but their approach is one of total lockdown... and doesn't handle one very big problem in the world of software... bugs.

While it's possible that they will be able to attest with a degree of certainty that a given computer is running with known hardware and known software in a known state... it doesn't handle the unknown... bugs in "trusted" applications that haven't been disclosed.

Even the most paranoid software authors make mistakes and bad assumptions, bugs will always be with us. All it takes is one small crack in the code, it your "trusted application" gets compromised. The all or nothing approach doesn't limit the actions of the code, just access to it.

Capabilities allow even malicious code to be run because you don't have to trust it. You limit your trust to the operating system kernel. This is a much smaller attack surface to defend, and one that would be common to all users, and thus get the most eyeball - hours.

Who ever wins the race to get capabilities built into a real-world system first will get to set the direction of computing for the next 10 years.

No comments: