# ex: set ts=2 et textwidth=78: # pizza # Sun Apr 22 09:15:27 PDT 2007 # Draft #0 The Problem With Computers ========================== I like Unix-like operating systems. At least, I used to. The more I know about them the less I like them. The basic Unix philosophy is sound: simplicity and consistency. Unfortunately, it seems, simplicity trumps correctness[1] and tradition trumps innovation (because it's simpler). What Is Wrong ============= Security -------- What models are secure? How are secure systems designed? * Principle Of Least Privilege (POLP) A system's components should be given exactly the access they require to perform their job and nothing else[2]. This means that all access is denied by default. Fine-grained access is granted to individual components as necessary. * Humans Are Imperfect Commercial software has well-defined mean defect rates between 20-30 defects per thousand lines of code (KLOC)[3]. Even high-quality open source projects have at least 0.1-0.7 defects per KLOC[4] (and keeping in mind that these are only defects which can be detected by static analysis). Any software that is deployed will contain defects. The core software on which the integrity of the system relies MUST be as small as absolutely possible. All software that relies on this core MUST be allowed indirect access to the core system by a well-defined and secure interface. Unix is insecure by design. It values simplicity and consistency over security. There are entire industries built around finding, exploiting, patching and preventing exploits in Unix kernels and applications; here's why: * monolithic kernel Unix systems are not required to have monolithic kernels, but almost all do. This means that all low-level system components, including device drivers, all exist in the same memory space with no protection from each other. A single defect anywhere within millions of lines of source code can compromise the integrity of the entire system. The reason monolithic kernels exist is for performance reasons, back in the 1960s and 1970s it was necessary to squeeze every last CPU cycle out of the machine in order for it to be usable, today this is equivalent to commuting daily with a race car instead of the train, even though the race car blows up when it hits a pothole. Even mature Unix projects like the OpenBSD distribution, with an focus on security before all else, has still had root-level remote exploits in its default install[5]. It is reasonable to assume that no non-trivial operating system exists which contains zero flaws. Proposal: microkernel architecture, trade raw performance for a well-defined interface between kernel and system components. A crashing device driver crash can be restarted without affecting system integrity; an exploited network driver has no access to the rest of the system. * root On Unix, the root user is God. root has complete power over every aspect of the system. root is simple. A user with unlimited power violates POLP and HAI. Proposal: eliminate root. Separate permissions. Make app-configuration a function of an application-specific user. Allow serious architectural changes to be made only outside of the operating system environment, preferably only with physical access. * Filesystem Permissions The Unix permission model is hopelessly oversimplistic; a relic of a time when saving every single byte was more important than security. Unix permissions violate POLP. Proposal: Access-control list permissions by default. * Buffer overflows By far the most common source of system exploits, buffer overflows exist when source code does not thoroughly and perfectly manage their input, allowing outsiders to overwrite executable code and launch and often take control of the running application, gaining access to its credentials on the host system. Buffer overflows exist because Humans Are Imperfect, they are exploitable because of POLP (input data should not be able to overwrite executable code). Proposals: * Safer practices in lower-level languages: buffers should never be on the stack, they should be in the data section. * Environmental support: compiler/libc can enforce canary values to detect overflows; but this is still imperfect. * Better tools: Dedicated libraries to manage buffers, but these themselves may have bugs. * Different language. * Operating system support. * Built-in hardware support. * Uncontrolled application filesystem interaction The Unix filesystem model allows nearly unlimited interaction between different processes. Why should other processes be allowed to create temp files where my application creates temp files, or muck with my config file? Unix fileystem model violates POLP. Proposal: System-wide core files should be in the main filesystem, all applications should be isolated in their own jails with their own copies of their files, see BSD jails. * Log file malleability Once an attacker has gained root access on a Unix system, the first thing that is done is to hide their attack by deleting the system log files. What good are log file that can be deleted? Logs are treated as normal files that may be moved and deleted for simplicity, but in practice it should never be necessary to do so. Log file malleability violates POLP. Proposal: log files should be in their own hard disk partition, with their own filesystem model. it should not be possible to delete logs, ever. log files should be a sliding window of the last N events, implemented as ring buffer. problems: how do we prevent attackers from simply overwriting the last N entries with junk? Other General Problems ====================== * Weak passwords Weak passwords should not be possible; password-change software should include the abaility to analyze and "crack" a proposed password; it should give the user feedback on how secure a password is, and should disallow passwords that are too weak. Conclusions =========== The current Unix computing model is insecure by design. It requires the perfection of millions of lines of code in order to be secure, which has never been accomplished. As society becomes more reliant on digital data, and as the world becomes highly networked, we need a computing model that is secure by design. References ========== [1] "The Rise of 'Worse Is Better'" [2] "Principle of Least Privilege" [3] "Linux: Fewer Bugs Than Rivals" [4] "Scan.coverity.com" [5] "OpenBSD's IPv6 mbufs remote kernel buffer overflow"