[Cryptography] "NSA-linked Cisco exploit poses bigger threat than previously thought"
Bill Frantz
frantz at pwpconsult.com
Thu Aug 25 21:48:35 EDT 2016
On 8/24/16 at 12:20 AM, alex at alten.org wrote:
>Sadly the newest ARM based OSes will be like Intel circa 2007, basically wide
>open for exploitation. So there go smart phones, IoT appliances, cars, etc.
I suppose it's time for my periodic recall of forgotten OSes.
But this time I will take a slightly different tack.
Many OSes have been built in the search for a "secure" OS, but
none of them have succeeded, even in niche markets. Perhaps the
problem is in what we mean by secure. Usually we mean that the
OS can enforce "policy". We don't do a particularly good job of
defining policy, and we do a terrible job of defining how to
convey policy to the system, and how to enforce controls on who
can change the policies being enforced.
Perhaps we should take a different tack. Build a system that can
support the principle of least authority. (We say authority
rather than privilege because privilege is what an object is
permitted to do, but authority includes privilege and adds what
an object can get other objects to do for it.) Such a system
would make the job of an attacker harder because fewer objects
would have authority to make dangerous changes. (Hint: there
would be no root privilege.)
Least authority systems can look a lot like object oriented
programming languages without global mutable state. This makes
them quite familiar to modern programmers, a definite plus.
A few systems which have addressed least authority:
Polaris: A system to improve safety on Windows machines. Polaris
made a new user for each execution and gave that user very
limited privileges. For example, if you opened an attached word
document in your mail agent, word would run as a different user
with access to just the document. Programs could gain access to
other files by using the system open dialog. If the user
selected a file in the dialog, it was added to the program's ACL.
KeyKOS, Eros, CapROS: Eros and CapROS are the same system which
is a clean room implementation of KeyKOS. Objects run in their
own protection domain and can pass authority via capabilities in
calls. These systems have a much smaller TCB than Polaris, but
they don't run standard Unix/WIndows/MacOS programs that expect
to open files by presenting their names to the open operation,
which is basically all of them.
There are probably others, but these are the ones that pop to
the top of my head.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345
Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos,
CA 95032
More information about the cryptography
mailing list