Saturday, June 09, 2018

We need to have a deep discussion about computer security.

I think that we need to have a very deep discussion about security. There are many folks who figure that things are just fine, except the users, OS vendors, administrators, or some other "blame sink" is the problem.  Things are not fine, not even just slightly broken, they are a ticking time bomb.  We've built a civilisation on top of a layer upon layer of code that is full of holes, and should never be trusted.

I have a radical idea to sell... no product, no service, no profit for me.  Please consider this idea, and not reject it out of hand.  If you find it appealing, just help spread it, refine it, and you can leave me out of it for all I care.

Computer Security can be fixed.  The fix is expensive, because the flaw is in the foundational assumptions of what makes a good operating system, which means we have to rebuild from ground zero.   Operating Systems are supposed to fairly share the resources available in a computing device according to the policies set in place by the designers, administrators, and users.   To do this, some assumptions are made, one of which is that a program, once set in to motion by a user, should have the full authority of the user at its disposal at all times.  This ambient authority is baked into everything out there, the trillions of lines of code running almost every device on the internet, and off.

Programs can be written in a different way, without the need for ambient authority. This is called capability based security, and also goes by some other names, including the principle of least privilege.  There are historic examples of Capability Based operating systems in the past, like KeyKOS, which prove that it can at least be done.  There is a project in Germany, the Genode project, which appears to be close to usable for building capabilities based systems, though I haven't had my hands on it yet.... it's getting close.

Capability Based secure systems don't even have to work differently for most users.  Capability UX Tools like a "powerbox" replace dialog box and the subsequent opening of a file, giving the same results without the need for ambient authority.

Programs without ambient authority don't present a vector for the spread of malware. In fact, it might be possible to completely dispense with virus scanners, firewalls, and the whole mess of "security" software that we layer onto our PCs in an attempt to keep them safe.

So, there it is... a lot of text written freestyle into a dialog box on a web page.  I hope I did a good enough job to convince you to give the idea some consideration.  I'll do whatever it takes to help spread it.

mike warot -

No comments: