Logo



Subscribe:
RSS 2.0 | Atom 1.0
Categories:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Sign In
[Giagnocavo]Michael::Write()

 Saturday, January 29, 2005
How I want computer security to work

I hope the days of running arbitrary CPU instructions to perform every single task come to an end soon.

I hear people complaining about how MS doesn't make them secure enough. I hear from the other end (i.e., the pros) that we have to have user education. I read about parents having to filter their kids' computers, ensuring they don't run malicious code (not “bad content“, such as pro-Bush propaganda, but code to take over a PC). People run anti-virus software. People are now running Anti-unwanted-commercial-software programs. Heck, in some cases, there's even Anti-anti-spyware code out there.

We hear about having to “ensure we trust the source”, as in, “do I trust Bob to send me a web site link”? Not even a program, *just a link*! We have the “don't execute attachments” and “don't install code from websites”, on and on and on. Some people even think there should be a “Internet drivers license” or even some sort of basic PC user training/license.

This has got to stop. It's been shown that we'll never be able to get average people to make correct trust decisions. It's also stupid to want to do that. If someone writes up a cute “Flying Bunnies.exe” game, I WANT to be able to run it, without worrying that it's some kind of attempt to hack me.

.NET gives us the first level. We have code access security, which can ensure that certain code running can't do certain things. Next, we need an OS that takes this home.

It looks as if we'll be having a little girl this May. By the time she's old enough to have her own real PC, I hope these things will be an issue of the past. When I got my first computer, I was 5. I was already somewhat familiar with DOS; I knew my way around. How different would that have been, had I have to understand a full set of security and trust related data? How much slower would I have gotten into things if it had to be accompanied by a ton of overhead just so that I wouldn't get hacked?

If Microsoft embraces managed code fully (and it looks like they are), this should not be hard. Managed programs should just run. Get an email attachment? Just run it! See a cute game that needs rich UI controls from the web? Should be automatic. Only when an unmanaged EXE comes along should we run into roadblocks. Indeed, any program requiring trust should require us to login as admin (or elevate to admin) and allow it.

So, in about 5 years, I hope to be buying a nice little PC for my child. I want to flip it on, use biometrics as her password, and LET HER PLAY dammit! If she finds a bunny program, I want her to be able to run it. Now, I'm hoping my kids will follow after me and understand computers enough to make those decisions for themselves (heck, and for other people :)), but I sure don't want that to get in the way.

The same applies to pretty much everyone else (yea, I'm saying a lot of users aren't much more advanced than a 5-yr-old). We can't expect people to make security decisions. We simply MUST have a way for things to get done, without security implications. I think at this stage, this is entirely possible.
Misc. Technology | Security
Saturday, January 29, 2005 10:12:26 PM UTC  #    Comments [4]  |  Trackback

Saturday, January 29, 2005 10:59:44 PM UTC
I think we are very close to being able to have this without having DRM.

You are correct the OS vendors must be fully behind it though because if it's easier to create unmanaged code or code that is unmanaged runs better or certain cool things can only be run as Admin then we will have lost the battle because everyone will simply run as admin like they do now.

Permission levels built into the OS as far as what resources a given application has access to and running apps inside of containers where they are only given the resources they need to run.

The problem we are going to run into ( I can already see it coming ) are things like games and or any other cool shiny object. If for one minute the company that makes those things thinks they can make their product better by running unmanaged down close to the wire they will do it. Then everybody who wants to run their program will run as admin and we are back where we started.

You are right users will never learn to be security minded all the time. They shouldn't have to be, we as professionals should be able to figure out a way to do this.

Currently you can make unmanaged code run better than managed and super resource intensive programs like CAD or GIS definitely run much better where the developers can explicitly handle how resources are used.

But Java and now .Net have proved that running through a runtime can be just as effective but the platform itself must be optimized to work with that interface. The OS vendors need to make this happen.

That's why I was so dissapointed with what longhorn is becoming, it's a scaled up version of XP now it's evolutionary not revolutionary which means security is probably still reactionary not pre-emptive.

Congrats on your baby girl to be!

When she is five my oldest son will be nine. I like you am hoping that he will have seen the pc make a revolutionary jump in security concepts at an OS level so he can run fuzzypuppy.exe without first saying "Dad can you scan this for me with Nortons?".
Andy | andy dot canfieldAT NOSPAMgmail dot com
Sunday, January 30, 2005 12:58:39 AM UTC
Well, Avalon is all managed code. I think with Longhorn, MS is showing a very big committment to managed code, and is proving it'll work.

And even better, with XP SP2, they showed that they are willing to break a few things in the name of security. So, hopefully, with Longhorn, they'll continue that. *Obviously* Doom3 and likewise are going to need to run on Longorn. But, I'm hoping the install process will get a bit more difficult. They called about something called the SEE (which sounds like some holy oracle or something). It stands for Secure Execution Environment. I sure hope they've got some tricks up their sleeves there.

Basically, getting higher-trust apps to run SHOULD be difficult. It should not be easy to con a user into doing such stuff. MS has the power to make this happen.

And really, newer games shouldn't have much reason to need fully trusted code. The CLR and framework will need to do some tricks to get the perf close, but I feel confident that there is enough at risk that they'll figure out a way...
Michael Giagnocavo | mggAT NOSPAMAtrevido dot net
Saturday, February 12, 2005 1:51:47 PM UTC
You need to do some reading.
Look up capability systems. least privilege, and confinement.
Current systems are horrifically designed. With a real capability system *even activex* could be safe.
This has nothing to do with "managed" code, or virtual machines. This is just about the sickeningly high level of ambient privilege in Unix & Windows. Take a look at eros or keykos. Unusable for real life, but very very cool.
rjw | robertAT NOSPAMwittams dot com
Tuesday, February 15, 2005 7:51:25 PM UTC
I looked up capability systems, read this short essay:
http://www.eros-os.org/essays/capintro.html

Seems like .NET eases a lot of the issues brought up. If MS embraces this for Longhorn, we have something that starts to become much better...
Michael Giagnocavo | mggAT NOSPAMAtrevido dot net
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):
Live Comment Preview