How Correct Is Security By Correctness?
Alan: Running Google Chrome?
Joanna: Yes, I use it for my Red machine. The main reason for this is that I like its GUI, and that it also seems fast and supports all those scripts, flashes, and god-know-what-else--all that is needed to read a typical news Web site these days.
Still, this all should be thought as of a temporary workaround. The proper solution would be to have a very thin type I hypervisor (bare-metal), something ala Xen, being securly loaded at boot time (via something like Intel TXT), and then having this thin hypervisor to manage all the VMs. Of course, to make a hypervisor really thin, we should get rid of the drivers and I/O emulation out form the hypervisor. We need Intel VT-d (not to be confused with VT-x) or AMD IOMMU technology to do that. As far as Intel laptops are concerned, this more or less corresponds to having a Centrino 2-based laptop. Phoenix's HyperCore and Xen's Project Independence are attempts to go into this direction. But today VMWare's or Parallels' fat type II hypervisors seem to be the only option.
Alan: Moving onto the next level then, things like outgoing firewalls, anti-spyware/anti-malware software, etc. don't protect against the most sophisticated malware. Right now, we don't think any such malware is in the wild, but after all, maybe we're just ignorant. What can we do?
Joanna: It is a good design of the OS (or a hypervisor and OS) that can protect against malware, not some tricky-hacky third party additions applied on top of something that is insecure-by-design.
Alan: See? So security by design is important!
Joanna: But it is the design of just a few core components of the system (kernel/hypervisor), not of all the software.
Alan: Are there ways to "vote with our dollars" to get companies to take a proactive stance on security?
Joanna: Unfortunately I don't see a simple way for people to do that. There simply are no good products to choose from as far as desktop OSes are considered. Whether it is Mac, or Windows, or even Linux, all those systems use those big monolithic kernels which host all those third-party developed drivers. This creates a huge attack vector against any OS-provided security isolation mechanism, such as process separation, user accounts separation, or kernel protection.
Alan:My day job is actually as an orthopaedic surgeon. With that, I come to things with a different perspective. At the end of the day, if your financial information is stolen, there's probably a way to get around it either through insurance or credit protection. At the very least, you have a chance to catch the bad guys when they try to spend the money. In medicine, we're moving to electronic medical records. Stolen information about someone's chronic illness or embarrassing diagnosis could have farther-reaching consequences.
Joanna: Very true. On the other hand, apparently many people see no objections in using Web-based services to keep their personal information, from calendars (Google Calendar) to documents (Google Docs) and even health records (Google Health). Even assuming that Google (or similar Web service provider) offers perfect security (which they don't), do we really trust the IT staff working there? But true, still most information is kept on our personal computers and not in the cloud (and thank God). Also, even if we kept all the information in the cloud, then still malware that compromised our personal computer could access all of that information from the cloud. So, yes, the security of our personal desktop computers is the most important aspect of computer security, and the implications might go way beyond just stolen credit card numbers.
Alan: Most people would argue that, while multi-layered security is critical, it always starts with a secure-by-design model. Code needs to be audited and carefully written from day one. This gives you the best chance for success rather than patching-as-you-go and reusing old code written in a pre-security era. Adding all of the other elements like randomization and isolation provide added layers. Is that a fair statement?
Joanna: I'm actually skeptical about relaying only on the "Security by Correctness" approach. I don't expect our applications and drivers, and generally a majority of software, to be bug-free anytime in the near future, if ever. We should rather focus on making very thin core components that would be bug-free, such as type I hypervisors, and then have them provide good isolation between other components to limit the possible damage they can do (for insyance, one exploited browser, used for daily Googling will not affect our secure browser used for online banking). Interestingly, the security industry seems to believe the "Security by Correctness" approach, and that developers will eventually stop introducing bugs. At least, the industry wants us to believe it.
When I read news about yet another bug in IE or Adobe Reader, or Flash Player, I cannot help but only to shrug my shoulders--so what? What does it change?
Alan: Nothing now, but we should still try to write secure code, especially when creating things from scratch. Take your exploited browser example accessing Google on your red machine versus a more protected browser on a separate machine for your bank account. What good is preventing a browser exploit when there’s a bug that will allow me to log into my own bank account, but see your financial info?
Joanna: Sure, but here we talk about security of the server-side software, while what we have been discussing so far was about security of the desktop machines--different challenges and solutions are needed in those two fields. Also, let me make it clear here that I highly respect the skills of people who find and later are capable of exploiting various bugs in browsers. This is very cool and often very beautiful. But, from the how-to-build-more-secure-desktop-systems perspective, this is usually quite irrelevant. We will never patch all the bugs in IE or Firefox--those programs are constantly being extended, new features are being added, so even if we somewhat audited IE 7 completely, then we would have to start all over again for IE8 and so on. Of course, for software vendors like Microsoft, it is much easier to simply take a reactive approach, follow each reported (or discovered) bug, and then issue a patch. This is much easier than to take its OS and totally redesign its kernel, and then also have all the ISVs redesign their drivers.
I find it odd how many security experts focus on various hardcore things, like heap-based overflow, while at the same time they have no idea about how the new, upcoming technologies that have a great potential of actually changing the landscape of desktop security--technologies such as TPM, TXT, and VT-x/VT-d--actually work. Sure, it is cool to write exploits for applications, but engaging in this endless arms race is not the best way to secure our computers. You don't secure your computer by continuously looking for bugs in all the software and then by writing exploits!