Tuesday, March 02, 2010

Missing Capabilities, how we got here

Capability based security is an old idea. It has merit, but has been ignored in the mainstream for a long time. Just as it's easy to ignore small losses when the company is profitable, it's easy to ignore small problems with security when you only have a few machines in a network.

Now the game has changed, and the internet has so many hosts connected to it that we're getting close to running out of addresses. The massive amount of computing resources available, all of which are insecure, makes a very attractive target which is being actively exploited for criminal gain.

In the early days of home computing, there was no great need for security because the owner was the administrator. He typically was the programmer and sole user as well.

On the mainframe side of things, the work of the system administrators was to keep things running, and to set up access controls to allow users to access their required resources, but not those of others. It was a natural boundary for trust to be placed on the per user basis. If the user mis-behaved they would be booted from the system. They didn't have need to access the operating system, so they had no permissions to write to it. A user could not change the system state on a mainframe.

The advent of Computerized Bullentin Board systems, which allowed for easier file sharing brought about a new threat, mobile code. The users of personal computers started to share and distribute programs. While it was now possible for a virus to spread from system to system, it was very unlikely. The nature of CP/M and MS-DOS served to limit the damage, as they lacked facilities for multitasking, and it was readily apparent when a program's disk access was happening in the days of slow and noisy floppy drives. There was also the matter of the write protect tab most users used to make sure their OS boot disk couldn't be accidentally erased.

The arrival of faster machines, with hard drives, and persistent internet connections that increased the fertility of the target for malware to the critical mass necessary for the rise of the virus. The lack of proper security tools was easy to overlook, at the time, and people began to believe certain practices were sufficient to cover all cases.

Now we are in the age of machines that are so fast, and operating systems so complex, that it's almost impossible for even a technically oriented user to know exactly what programs their machine is running at a give point in time. The nature of the operating systems in this environment is a legacy from the mainframe systems, where the boundary of trust lies with the user. Unfortunately, this is no longer a sane boundary. The user has many roles, each of which requires a different set of capabilities, and the programs can not be trusted to stay within their roles. A capability based system is needed to provide a new trust boundary, one that fits the new conditions that have slowly arisen over the past 30 years of personal computing.


While Capabilities have been slowly improved though years of work in academia and military applications, the time for wider deployment of this technology has arrived.

Thank you for your time and attention.

No comments: