In Trusted Computing We.. er.. Trust?

by Charles Miller on August 29, 2003

W32.Sobig.F could have done some serious damage to the Internet. It's easy to imagine how much worse it could have been if, say, the virus had a remote-administration/DDOS component.

You can blame Microsoft, of course. Or you can blame the victims who still don't know that they shouldn't open attachments. Or you can declare that email itself is broken and we need to replace it with something more secure. (More on that last one tomorrow, I think). Or you can blame the worm authors for being not-very-nice people. Or you can shrug and say "Well, it wasn't that bad, was it? Just delete the damn emails."

It's lazy to blame Microsoft. Certainly, Microsoft's Operating Systems have the worst practical security of the major consumer OS's1. The thing is, though, the difference is really only marginal. It may be slightly easier to compromise a Windows user, but if some other OS had 95% market share, the Black Hats would just make that extra few percent of effort to achieve the same ends.

There are a few simple things that OS vendors should pay more attention to. Specifically, more attention needs to be paid to making computers more secure in the default configuration. A simple example is the way MSBlaster spread. Why were DCOM services being offered over the Internet in the first place? Because it's easier to bind a service to * than to specific addresses, one suspects.

The biggest problem, however, lies in the security model of consumer operating systems. The model has remained unchanged since 1970's Unix, and has not adapted to today's atmosphere of naive administrators and Internet-borne threats.

Modern OS's are based on the age-old multi-user security model, which aims to do two things:

  • protect users from non-users (i.e. attackers)
  • protect users from each other

On most desktops, the second is rarely used: there is one user, or there are a small number of users who trust each other. Unix and Mac OS X are better at splitting user privileges from system privileges, NT is (from experience with NT4 and W2K) annoying for a user/owner not to have Administrator rights on all the time, although that may have changed with XP.

Java's security model has been criticised over the years, but mostly because of flaws that have been found in its implementation. The theory behind the model was sound, and it added another dimension to the security matrix:

  • protect users from the code they run

This is what no operating system does, and what every operating system should do in today's world of fast-spreading worms, dangerous malware and non-technical users. The assumption of the OS security model is that all actions a user takes should be considered equal, and the user's authority is delegated infinitely and unchecked through software. This is the deadly assumption that causes almost all malware to spread. We should not assume that the user trusts the software he or she is running.

Simple example. There is almost no situation I can imagine where an application launched from Outlook should be permitted to modify the Windows Registry. And yet they can, because a user is permitted to change the Registry, and Outlook delegates that power unthinkingly to anything the user decides to run. And yet, if applications launched from attachments were not allowed to modify the Registry, were not permitted to talk to the network, were not given access to the filesystem, you'd have effectively killed email-borne worms.

Java had to leap through all sorts of hoops to get its security model working--managed code and class-file validation--because the virtual machine didn't have full control over the real machine. The OS controls the horizontal and the vertical. What it says you can't do, you can't do. And it could make those decisions based on application identity (or a stack of such identities and inherited capabilities) as easily as it can now based on user identity.

There are complexities: the component model of modern operating systems means we must deal with the question of the 'taint' of data transferred between components, or of applications saved to disk and then run elsewhere. But these are all solveable problems. Properly implemented, this model would massively increase the security of our desktop systems, without placing a significant useability barrier in front of the user, or limiting what they can do if they really want to.

The big question, though, is one of motive. Microsoft's biggest challenge with every OS update is to convince people that the new model is worth buying: that it does something you couldn't do before. Increased security means, by definition, that a computer will do less than it did before. Sure, they're all things you wouldn't want it to do in the first place, but selling the absence of something bad is not nearly as easy as selling the presence of something good.

Windows 3.11 came packaged with anti-virus software, but that was left out of Windows 95. Microsoft have been building all sorts of things into their OS: web browsing, instant messaging, email, multimedia playing. One would think that virus protection and a firewall of the same sort of feature-set as ZoneAlarm would be far more obvious contenders to be a part of the OS than an IM program, and that Symantec would be shivering in their boots at the thought of their market being dragged from under them.

It won't happen, though. IE, MSN Messenger and Media Player are all visible, additive features. Virus protection and firewalling are not only subtractive, but they offer no cross-platform advantage to competitors in the way Real, Netscape or AOL threatened. Hence, Microsoft are quite happy to let someone else handle that, thank-you very much.

Which is why the direction Microsoft are taking is not into the realm of increased practical security for users, but towards the DRM PC, a tightly managed OS that increases the security of the computer at the devastating cost of the freedom of the user: but with the benefit of providing a path through which newly available DRM-protected content becomes the positive feature that will be used to sell it.

1 NT's permissions model is good, pretty much everything else is rubbish.

Previously: Sendmail Configuration for Mummies

Next: Announcing: Cat Pictures Day