Thursday, August 18, 2011

Yet another story about security

Recently, managed code was supposed to save computer security. I believe it solves the wrong problem, and I think this story will help explain why...imagine this bizarre scenario:



You wish to purchase a bottle of coke at the 7/11.

So you get to the check out counter, with the bottle of coke you wish to purchase.
You put yourself into suspension so that the clerk can...
  • Find your wallet, get money out, put all but $2.15 of it back in
  • Prepare your receipt
  • Wake you back up
  • Hand you the receipt

Imagine that you grew up in a world where this was normal behavior. Sure there were some dishonest clerks, but those were few and far between. Enough people eventually complained that they started a list of bad clerks, so you could check to see if the clerk was on the list before you decided to make a purchase.

Problem solved, right? WRONG...

  • What if someone tricks the clerk while you're in suspension?
  • What if they make a mistake?
  • What if they have an accident?
  • What if they just decided to turn evil, and aren't in the bad clerk list yet?

This bizzarro world is almost precisely how we do things with computers. Instead of ourselves, it's our computer account, and instead of the clerk, it's a program we're about to run.

Now... look at how we do things in the real world...

When you buy a coke at the 7-11, you hand take your coke to the register then you
  • Offer a form of payment, let's say $5.00
  • Get change and a receipt
Because you decide the form and amount of payment you offer, you decide the amount to risk. The worst that you can do is to get the wrong change back. 

The side effects are limited BEFORE you decide to make the payment.
It's immediately obvious if you have completed the transaction.
There is no possibility of bizarre side effects, like having your living room painted a Slurpee Blue because of 7/11 decided to offer a new feature.

Why not have the operating system do it's job and enforce a scenario like this...

You have a program you'd like to run
  • Make a list of resources the program should be able to access
  • Specify read, write, modify access to each those resources
  • Present the list, along with the program, to the operating system, for execution
  • Enjoy the results
Since the operating system is the ultimate provider of access to resources on the computer, it can fairly and reliably check to see if access is should be granted. If a resource isn't in the list, the program will NOT get access to it.

The difference is subtle... giving everything by default, or by denying everything by default. Windows, Linux, Mac OS, all give everything by default. Perhaps it's time to reverse that decision.


No comments: