Wednesday, January 19, 2011

25 years of insecurity

It's been 25 years since the first computer virus, and we still haven't learned our lesson.

It's possible to build an operating system which is both secure and usable, by changing one fundamental assumption underlying everything. It's one of the most frustrating aspects of computing, but most people don't understand the problem, and thus can't properly evaluate the quality of the solutions offered to date.

How we got here

Windows, Linux, Mac OS-X, all are based on a security model called "Default Permit". This means that unless something is blocked (by a virus scanner, for example), it is allowed to run.

Now, on the face of it, this is the obvious way that computers should work. Who would want to make it harder to run a program, after all it is our computer, and should do what we want, right?

It's when you consider what that program is allowed to do, that the situation starts to get interesting. A computer program can do anything you are allowed to do, on your behalf. If you can access your passwords, so can the program you just launched... if you can send an email, so can the program you just launched, etc.

Adding complexity to the situation further is the fact that there are a number of system services running at any given time which are supposed to have privileges beyond that normally allowed by the user, and these programs can be mislead into mischief.

Any running program runs unbelievably quickly, and it can try to do all sorts of things in the blink of the eye... so if there are any holes in security, it can exploit them without you noticing. This forces you to have to trust any program you run to do exactly what it says it will do.

In response for the past 25 years, we've grown accustomed to virus scanners, spyware scanners, firewalls, and any number of filters to try to stop bad programs, but they don't work perfectly, and in fact, they never will.

Now there are literally billions of computers all networked together, each with their own set of imperfectly protected exploitable resources, a vast ecosystem, if you will, waiting to be exploited, and it is being exploited. On the global level, there are entire socioeconomic systems which have grown to exploit the weaknesses in our computers for financial gain.

The fact that our filters and firewalls are imperfect leave us with a choice.... security or usability.

I strongly believe this is a false choice, and there is a better way.

CABsec - A better way

If the security model is flipped 180 degrees, to a default deny... security becomes a problem which can be solved. I call it CABsec (CApability Based SECurity), so Google can find it in the future.

The basis of CABsec is that at the time a program or process is to be run, a list of capabilities is supplied to the operating system with it. Just like we have icons on our desktops which are shortcuts to programs, this list could be similarly supplied and default to a reasonable range of actions. The typical user wouldn't even need to be aware of it, in most cases. Usability is not affected.

Every system process can be similarly equipped with a list of privileges. It's not necessary for a file-system to access the internet, for example... which means the there is no possibility of file system driver process being mislead into leaking information to the internet. In a similar manner, properly configured system processes can each be locked down to provide bulletproof security.

This leaves the user with a system which can actually enforce it's rules in a secure manner, without the possibility of being broken by a rogue application. The user is provided with a system which could then allow them to specify that their accounting program access one specific folder. The program would never be able to access anything else (like the internet for example)... so it would be self contained and secure.

Such a system would never need a virus scanner, because it would never trust a program, and thus a program couldn't go rogue.

A virus would find itself like the Greeks inside the Trojan horse finding that the horse had been sealed inside a layer of bulletproof glass... they could never escape to do their mischief.

It's a big project to get a cabsec system built... I thought it would have already happened, there have been hints of if with things like Midori at Microsoft, but they never pan out. I'm doing my own little bits of work promoting capabilities and least privilege. I'm hoping that this leaves you with a better understanding of what can be done, and a better way forward.


Anonymous said...

Dear sir,

The functionality you idealise and search for fruitlessly in Microsoft operating systems has several production quality competing implementations in the Linux software ecosystem, and possibly even in other Free operating systems. Notably SE Linux and AppArmor, the later supported by Ubuntu.

You have good ideas and initiative, but you need to get yourself in touch with the state of the art in order to provide the meaningful contributions you seem so eager to create.

Microsoft is not a player in the secure systems arena for a wide variety of bad architecture decisions that hinder any work in that area. I strongly encourage you to become knowledgeable about Linux and possibly start contributing to one of the existing solutions that have implemented what you describe and gone further yet.

Best of Luck.

Mike Warot said...

SElinux is a step in the right direction, but it does not protect the kernel, and there is a lot of code in the Linux kernel.
It's optional security, and not baked in all the way, thus it still leaves chinks in the armor.

Linux is not a player in the secure systems arena either, because it is not a microkernel based system, such as L4/Mach.

While I appreciate that you might be convinced that Linux is more secure than windows, this is more to do with the relative populations of the systems available as targets on the internet, and less about the actual quality of code.

They all are default-permit, and thus subject to the flaws therein.

Anonymous said...

I am the same anonymous as before. Could you elaborate on the chinks you see in SELinux armor? I am curious about what you have observed. Apparmor has seen more recent use mostly due to support from Novell and Ubuntu, and ease of use.

I did not mean to say Linux is unique in any way. Several other free operating systems are comparable and several commercial UNIXes are as well. Together they are the backbone of most of worldwide secure systems, both in the military and in financial institutions. The Microkernel quality of an OS has little bearing on its security. Microkernel designs have proven troublesome performance-wise and have seen little use because of it. As such, they are fundamentally untested and by definition insecure.

The several different versions of Windows have been, without doubt, the most battle-tested OS out there, the problem is that it failed the tests. Linux has seen similar testing due to its server popularity, specially as a platform for Apache.

Your soundbite about the relative populations has allowed many to decieve themselves for years as the Windows environment collapses in viruses and rootkits, allowing the existence of vast botnets which dwarf modern state supercomputers. Do not swallow this Microsoft line unthinkingly. What Microsoft fails to remark is that Linux has a much bigger share of servers, if not desktops, and as such is present at higher value targets whose security has yet failed to collapse in spite of many years of usage.

As you will find out if you keep researching default-deny, a lot of the problem is the completeness of the permissions, because all allowed tasks must be represented for them to be permitted, as opposed to default-allow.

Apparmor et all allow you to focus on that and skip the whole part about implementing such a system in a fundamentally insecure platform. You can, of course, continue to pretend these solutions do not exist, so that Windows can still seem relevant in security terms for a less informed reader. You might, however, be called on it, and I salute you for approving my comments.

Mike Warot said...

AppArmor is a step in the right direction, as it at least attempts to set up a mechanism for untrusted applications. However, the foundation of Linux is monolithic kernel, and there is tons of stuff (mostly drivers) in there all running in kernel mode. Any code running in that mode is subject to a possible hijack via stack overflows, etc. AppArmor is thus based on a foundation built in sand... it can be subverted from within.

Windows is far worse when it comes to the amount of stuff running in kernel mode, so it's far less likely to ever be secure. I have no delusions about Windows, and haven't swallowed the Microsoft Cool-aid.

As for the speed of MicroKernels, they can be fast, and efficient. It doesn't have to be slow.

I just found out about OLK4, which is a system based on a "proven" kernel. They have a VMware based linux hosted development environment, and I'll start exploring that.