[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"

Bill Frantz frantz at pwpconsult.com
Thu Aug 25 21:48:35 EDT 2016 

On 8/24/16 at 12:20 AM, alex at alten.org wrote:

>Sadly the newest ARM based OSes will be like Intel circa 2007, basically wide
>open for exploitation. So there go smart phones, IoT appliances, cars, etc.

I suppose it's time for my periodic recall of forgotten OSes. 
But this time I will take a slightly different tack.

Many OSes have been built in the search for a "secure" OS, but 
none of them have succeeded, even in niche markets. Perhaps the 
problem is in what we mean by secure. Usually we mean that the 
OS can enforce "policy". We don't do a particularly good job of 
defining policy, and we do a terrible job of defining how to 
convey policy to the system, and how to enforce controls on who 
can change the policies being enforced.

Perhaps we should take a different tack. Build a system that can 
support the principle of least authority. (We say authority 
rather than privilege because privilege is what an object is 
permitted to do, but authority includes privilege and adds what 
an object can get other objects to do for it.) Such a system 
would make the job of an attacker harder because fewer objects 
would have authority to make dangerous changes. (Hint: there 
would be no root privilege.)

Least authority systems can look a lot like object oriented 
programming languages without global mutable state. This makes 
them quite familiar to modern programmers, a definite plus.

A few systems which have addressed least authority:

Polaris: A system to improve safety on Windows machines. Polaris 
made a new user for each execution and gave that user very 
limited privileges. For example, if you opened an attached word 
document in your mail agent, word would run as a different user 
with access to just the document. Programs could gain access to 
other files by using the system open dialog. If the user 
selected a file in the dialog, it was added to the program's ACL.

KeyKOS, Eros, CapROS: Eros and CapROS are the same system which 
is a clean room implementation of KeyKOS. Objects run in their 
own protection domain and can pass authority via capabilities in 
calls. These systems have a much smaller TCB than Polaris, but 
they don't run standard Unix/WIndows/MacOS programs that expect 
to open files by presenting their names to the open operation, 
which is basically all of them.

There are probably others, but these are the ones that pop to 
the top of my head.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 
Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, 
CA 95032

More information about the cryptography mailing list