Tuesday, June 05, 2018

I have a dream, the Capability Based Security version

I have a dream, that one day, we shall have secure general purpose computing. We shall no longer need virus scanners, we shall no longer have multiple gigabyte “security updates”, and we shall no longer fear to click on a link, or try out a program… I have a dream.
General purpose computing needs to be secured, this will fix IoT as a secondary effect. There’s not enough money in small gadgets to do this the other way around. We fix IoT security the same way we fix workstation security, by deploying operating systems that don’t lubricate applications in a sea of authority, with all the explosive results.

There are operating systems that default to NO permissions what so ever, and yet are capable of getting things done. Linux, Windows, Mac OS all work by letting applications do whatever the user is allowed to do… which is pretty much anything and everything. IOS and Android attempt to sandbox off a bit of this, but still assume they can open any file, do anything, within the sandbox… over time the sandbox has more holes poked in it to let more “features” happen, and make it more porous.

Capability based security, it’s not a silver bullet, but it can fix general purpose computing, and solve IoT security as a side benefit.

No comments: