Monday, May 05, 2014

The future I want to prevent

I've written often about the inadequacy of our current approach to computer security. The biggest problem we face isn't technological, its our hidden, deeply entrenched assumptions about what is (and isn't) possible to do with computing, in general.

I want to describe some of the things I see coming down the road, if we continue our current course of action, hopefully to expand our imagination a bit, and to create the necessary cognitive dissonance to shake things up, and rouse us all to finally fix this, and get on with our lives.

Scenario 1: The I-95 virus.

April 27, 2021  The entire Northeast United States goes under Martial law to deal with the latest cyber-attack. Launched by the "free peoples party of Belgium", it has disabled all Toyota, Lexus, Ford, and Kenworth vehicles implementing the new V2V standard. Over 250,000 vehicles were involved in a series of accidents that took place at 6:51 AM EST.

In the weeks that follow, computer experts determine that a zero day flaw in the subsystem supplied by Acme Limited was successfully exploited to cause this cascade effect. The simultaneous disruption of so many vehicles contributed to the 1,000,000+ injuries and yet unknown number of deaths.

... more scenarios to follow.

Multi-level secure computing.

Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula [] model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option [] in FreeBSD, which is experimental.
The Genode project [] aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that time-span significantly.