There is a lot of talk about an upcoming (ongoing?) “cyberwar” with Russia and China. I believe strongly that this "war" was lost in the 1970s, in a manner similar to the way we ended up with the Y2K problem. The scope of programs slowly shifted, and base design decisions haven’t been revisited adequately in the intervening decades.
Ambient Authority is a design decision which only appears once you have multiple users sharing a computer. In early computing environments, there were military, commercial, or academic constraints on the users, and it was sufficient to limit the programs to the authority of the user, so no change was needed, except for the provision of ACL (Access Control List) security, the kind where permissions are added to files and folders, in the form of who is allowed to access a given file.
ACL was deemed to be adequate, and as a result, everyone just kept using Ambient Authority without much thought. Fast forward 40 years, andl we find ourselves in a world of persistent networks, mobile code, no system administrators, and multiple layers of firmware and OS from various hardware and software vendors.
In such a system, any code runs with the full authority of the user who started the task, and the users have no effective means of limiting the side effects of running a given program. This in turn means we have to try to guess the intent of code (which is equivalent to solving the halting problem, and is thus impossible). The band-aid is to then try to enumerate all the bad code in the world (virus scanners), and to enumerate all the code bugs in all our programs (security updates), and to eliminate the trust of users (DRM, forced updates, "safety" filters in our browsers). None of these band-aids will work against a determined individual, let alone a nation-state.
Running tasks with the least possible privilege, the "Principle of Least Authority" (POLA) allows a user in such a system to decide ahead of time exactly what files the program is allowed to read, write, etc. Because we're all used to dialog boxes, and drag to drop GUI elements, this doesn't even require any special training of users to accomplish.
Of course, rebuilding our infrastructure to fix a design flaw of the size and scope of using 2 digit years (the Y2K problem we once faced), isn't going to be easy... especially when there's no deadline to make the need for action obvious. It's just going to remain an insidious vulnerability instead for decades to come.
If you think EAL certifications address this, they don't. 8(
No comments:
Post a Comment