Tuesday, July 02, 2013

Persistently Insecure Endpoints

Our biggest "cyber security" problem is one of persistently insecure endpoints. The reason we have persistently insecure endpoints is that they can't be made secure, no matter who writes them, checks programs for virii, etc
All of them run a program within the context of a users permissions, leading to the possibility of privilege escalation. SELinux tries to fight this by locking down each program, but even that approach has some strong limitations
To be able to securely run a program on any operating system, you need to be able to specify the side-effects you're willing to allow, before running the program. This is the reason that Functional Programming is getting so much attention and the application level.
The IBM VM system was among the first to provide such an environment, back in 1972. (I'm sure someone will dig up an earlier system). The reason that VM systems can be secure is that when you set up a virtual machine, you specify all the things it's allowed to use, and to change. It can only affect it's own disk space, etc.
Modern systems such as VMware also offer the possibility of real security, but at such a gross level of granularity that it's unlikely to be used in this manner. The only system on the horizon that offers a way out (as far as I can see) is the Genode project which is a full on capabilities based system, built upon your choice of secure kernel.
This whole cyber-war mess can be shut down, if folks wake up, and start acting in a manner to fix things... otherwise prepare to be serfs to our corporate lords and masters.

No comments: