Wednesday, January 19, 2011

25 years of insecurity

It's been 25 years since the first computer virus, and we still haven't learned our lesson.

It's possible to build an operating system which is both secure and usable, by changing one fundamental assumption underlying everything. It's one of the most frustrating aspects of computing, but most people don't understand the problem, and thus can't properly evaluate the quality of the solutions offered to date.

How we got here

Windows, Linux, Mac OS-X, all are based on a security model called "Default Permit". This means that unless something is blocked (by a virus scanner, for example), it is allowed to run.

Now, on the face of it, this is the obvious way that computers should work. Who would want to make it harder to run a program, after all it is our computer, and should do what we want, right?

It's when you consider what that program is allowed to do, that the situation starts to get interesting. A computer program can do anything you are allowed to do, on your behalf. If you can access your passwords, so can the program you just launched... if you can send an email, so can the program you just launched, etc.

Adding complexity to the situation further is the fact that there are a number of system services running at any given time which are supposed to have privileges beyond that normally allowed by the user, and these programs can be mislead into mischief.

Any running program runs unbelievably quickly, and it can try to do all sorts of things in the blink of the eye... so if there are any holes in security, it can exploit them without you noticing. This forces you to have to trust any program you run to do exactly what it says it will do.

In response for the past 25 years, we've grown accustomed to virus scanners, spyware scanners, firewalls, and any number of filters to try to stop bad programs, but they don't work perfectly, and in fact, they never will.

Now there are literally billions of computers all networked together, each with their own set of imperfectly protected exploitable resources, a vast ecosystem, if you will, waiting to be exploited, and it is being exploited. On the global level, there are entire socioeconomic systems which have grown to exploit the weaknesses in our computers for financial gain.

The fact that our filters and firewalls are imperfect leave us with a choice.... security or usability.

I strongly believe this is a false choice, and there is a better way.

CABsec - A better way

If the security model is flipped 180 degrees, to a default deny... security becomes a problem which can be solved. I call it CABsec (CApability Based SECurity), so Google can find it in the future.

The basis of CABsec is that at the time a program or process is to be run, a list of capabilities is supplied to the operating system with it. Just like we have icons on our desktops which are shortcuts to programs, this list could be similarly supplied and default to a reasonable range of actions. The typical user wouldn't even need to be aware of it, in most cases. Usability is not affected.

Every system process can be similarly equipped with a list of privileges. It's not necessary for a file-system to access the internet, for example... which means the there is no possibility of file system driver process being mislead into leaking information to the internet. In a similar manner, properly configured system processes can each be locked down to provide bulletproof security.

This leaves the user with a system which can actually enforce it's rules in a secure manner, without the possibility of being broken by a rogue application. The user is provided with a system which could then allow them to specify that their accounting program access one specific folder. The program would never be able to access anything else (like the internet for example)... so it would be self contained and secure.

Such a system would never need a virus scanner, because it would never trust a program, and thus a program couldn't go rogue.

A virus would find itself like the Greeks inside the Trojan horse finding that the horse had been sealed inside a layer of bulletproof glass... they could never escape to do their mischief.

It's a big project to get a cabsec system built... I thought it would have already happened, there have been hints of if with things like Midori at Microsoft, but they never pan out. I'm doing my own little bits of work promoting capabilities and least privilege. I'm hoping that this leaves you with a better understanding of what can be done, and a better way forward.

2 comments:

Anonymous said...

Dear sir,

The functionality you idealise and search for fruitlessly in Microsoft operating systems has several production quality competing implementations in the Linux software ecosystem, and possibly even in other Free operating systems. Notably SE Linux and AppArmor, the later supported by Ubuntu.

You have good ideas and initiative, but you need to get yourself in touch with the state of the art in order to provide the meaningful contributions you seem so eager to create.

Microsoft is not a player in the secure systems arena for a wide variety of bad architecture decisions that hinder any work in that area. I strongly encourage you to become knowledgeable about Linux and possibly start contributing to one of the existing solutions that have implemented what you describe and gone further yet.

Best of Luck.

Mike Warot said...

AppArmor is a step in the right direction, as it at least attempts to set up a mechanism for untrusted applications. However, the foundation of Linux is monolithic kernel, and there is tons of stuff (mostly drivers) in there all running in kernel mode. Any code running in that mode is subject to a possible hijack via stack overflows, etc. AppArmor is thus based on a foundation built in sand... it can be subverted from within.

Windows is far worse when it comes to the amount of stuff running in kernel mode, so it's far less likely to ever be secure. I have no delusions about Windows, and haven't swallowed the Microsoft Cool-aid.

As for the speed of MicroKernels, they can be fast, and efficient. It doesn't have to be slow.

I just found out about OLK4, which is a system based on a "proven" kernel. They have a VMware based linux hosted development environment, and I'll start exploring that.