It's been 25 years since the first computer virus, and we still haven't learned our lesson.
It's possible to build an operating system which is both secure and usable, by changing one fundamental assumption underlying everything. It's one of the most frustrating aspects of computing, but most people don't understand the problem, and thus can't properly evaluate the quality of the solutions offered to date.
How we got here
Windows, Linux, Mac OS-X, all are based on a security model called "Default Permit". This means that unless something is blocked (by a virus scanner, for example), it is allowed to run.
Now, on the face of it, this is the obvious way that computers should work. Who would want to make it harder to run a program, after all it is our computer, and should do what we want, right?
It's when you consider what that program is allowed to do, that the situation starts to get interesting. A computer program can do anything you are allowed to do, on your behalf. If you can access your passwords, so can the program you just launched... if you can send an email, so can the program you just launched, etc.
Adding complexity to the situation further is the fact that there are a number of system services running at any given time which are supposed to have privileges beyond that normally allowed by the user, and these programs can be mislead into mischief.
Any running program runs unbelievably quickly, and it can try to do all sorts of things in the blink of the eye... so if there are any holes in security, it can exploit them without you noticing. This forces you to have to trust any program you run to do exactly what it says it will do.
In response for the past 25 years, we've grown accustomed to virus scanners, spyware scanners, firewalls, and any number of filters to try to stop bad programs, but they don't work perfectly, and in fact, they never will.
Now there are literally billions of computers all networked together, each with their own set of imperfectly protected exploitable resources, a vast ecosystem, if you will, waiting to be exploited, and it is being exploited. On the global level, there are entire socioeconomic systems which have grown to exploit the weaknesses in our computers for financial gain.
The fact that our filters and firewalls are imperfect leave us with a choice.... security or usability.
I strongly believe this is a false choice, and there is a better way.
CABsec - A better way
If the security model is flipped 180 degrees, to a default deny... security becomes a problem which can be solved. I call it CABsec (CApability Based SECurity), so Google can find it in the future.
The basis of CABsec is that at the time a program or process is to be run, a list of capabilities is supplied to the operating system with it. Just like we have icons on our desktops which are shortcuts to programs, this list could be similarly supplied and default to a reasonable range of actions. The typical user wouldn't even need to be aware of it, in most cases. Usability is not affected.
Every system process can be similarly equipped with a list of privileges. It's not necessary for a file-system to access the internet, for example... which means the there is no possibility of file system driver process being mislead into leaking information to the internet. In a similar manner, properly configured system processes can each be locked down to provide bulletproof security.
This leaves the user with a system which can actually enforce it's rules in a secure manner, without the possibility of being broken by a rogue application. The user is provided with a system which could then allow them to specify that their accounting program access one specific folder. The program would never be able to access anything else (like the internet for example)... so it would be self contained and secure.
Such a system would never need a virus scanner, because it would never trust a program, and thus a program couldn't go rogue.
A virus would find itself like the Greeks inside the Trojan horse finding that the horse had been sealed inside a layer of bulletproof glass... they could never escape to do their mischief.
It's a big project to get a cabsec system built... I thought it would have already happened, there have been hints of if with things like Midori at Microsoft, but they never pan out. I'm doing my own little bits of work promoting capabilities and least privilege. I'm hoping that this leaves you with a better understanding of what can be done, and a better way forward.
- ▼ 2011 (35)
- ► 2010 (90)
- ► 2009 (56)
- ► 2008 (122)
- ► 2007 (73)
- ► 2006 (126)
- ► 2005 (50)