“Secure Computing” - Isn’t. If it was, you’d be able to check your gmail and surf the web on a secure computer in a secure environment. No sane GS-15+ is going to let that happen any time soon, because they know better.
Ok, controversial statement up front, let me explain where I’m coming from, and defend that statement.
I’ve come to learn that there is a set of jargon used in “secure computing” that I really don’t know, and need to learn in order to effectively communicate to the crowd that uses it. There is also a different set of jargon used in the description capability based security that further makes it hard to convey what it is, and why, to people who really, really need it. So, forgive me if I oversimplify things a bit, and try to make this as plain-speak as possible.
There is a Trojan Horse hiding in every major operating system out there, Linux, Windows, Mac OS, and even (as far as I can tell from my civilian outsider view) the “secure” OSs. As far as I can tell the major difference when it comes to “secure” computing is to carefully check the code for errors, audit and log the shit out of everything that happens, be very very paranoid about what you let the user do.... and then hope the applications do what they say on the tin, every time.
The Administrators don’t trust the “dumb users” in civilian environments, and are rightly concerned with spies in the “secure” environments. Everyone is worried about the users, nobody worries about the code they run once it’s decided that it is safe to run. They trust the code, pretty much without thinking.
If a program wants to open a file, the programmer will write a line of code like this:
open("filename", O_RDONLY, 0)
If your operating system allows this, it isn’t secure. Why do you trust the program to randomly open files on the user’s behalf? Because it’s always been done that way, that’s why. It’s called “ambient authority” and it’s a trojan horse.
Read up on it at Wikipedia here: https://en.wikipedia.org/wiki/Ambient_authority
Now, there is a safer way, that doesn’t require more/different work, on the user’s part
Capability systems move the “dialog box” (file open) outside the applications control, and hand the file handle (a “capability”) to the application, which can then use it as normal. This then removes the need to trust applications with the ability to randomly do anything the user can do... this removes ambient authority.
Changes for the user - The dialog boxes look a bit different, pretty much works the same. No government employee is required to learn something new.
Changes for programmers - Things are a bit different, have to request the capabilities instead of a dialog box then opening files. Not a huge shift for them.
Changes for the OS - Things have to be re-written, if you want deep security, using a proven microkernel, etc.... but even Windows could be made secure, IMHO. (Not EAL7, though, never)
This subtle shift removes entire classes of attack from computing, and makes the world safer. We all need capability based computing. Thank you for your time and attention.
No comments:
Post a Comment