Ivan rocks. This we already know. Fascinating post!
I believe that for software to be truly secured operationally, it needs to change so that it makes itself more easily controllable. (In general, we are seeing this at MITRE with SCAP-related efforts like OVAL and CVE). Maybe the app-whitelisting crowd technologies are moving in this direction. What we have seen with SELinux is the kind of complexity required for doing this kind of configuration, if you're not the software owner.
Skipping plugin architectures where everything goes, and I'm sure a ton of other complexities, what if software basically told its users where it would add/remove files, what ports it listened on, etc.? Or alternately, was configurable in this fashion? From an operational software-control perspective, it would be easier to detect variations from such a "profile," and for operating systems to build capabilities that could enforce this more abstract level.
And from a software analysis perspective, these "policies" or "profiles" or whatever you have, could be fed into automated analysis tools in order to reduce false positives, and (perhaps) catch some design-level issues, too. Even apparently "simple" problems like path traversal require some knowledge of the business logic of the application in order to determine if an issue is a feature or a bug.
The usability problems in app-profiles may be a big hurdle, since apps would want to transfer data back and forth... and if I'm editing a document, I might want to save it outside of a restricted directory. Ivan, did your solutions have any impact on usability?
This sounds awfully familiar to a brief conversation on this list about 2.5 years ago [1] where Gary pointed out that managed code has such capabilities built in, but for the foreseeable future we will be stuck with unmanaged code. And this issue skirts the edges of formal methods, too. But if sandboxing really starts to catch on, maybe there will be some hope.
What little I know of the mobile space seems to be attempting to take this into account. In general, it seems to me that "application separation" is more built-in to mobile OSes than regular, general-purpose OSes (though clearly there are limitations, and some of the same old problems are affecting those apps, too.) On the other hand, I don't exactly feel clueful when a mobile app gives a long list of permissions that it needs on install, and I have no control after then.
Like Ivan, I'd be very interested in knowing what others have been thinking on the problem, and what kind of research or development is underway.
- Steve [1] http://www.securecoding.org/pipermail/sc-l/2008/001591.html _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
