On Wed, 2 Jan 2008 21:26:47 +0000 (UTC)
Jason <[EMAIL PROTECTED]> wrote:

> On the other hand, writing an OS that doesn't get infected in the
> first place is a fundamentally winning battle: OSes are insecure
> because people make mistakes, not because they're fundamentally
> insecurable.
~~20 years ago, after the Internet Worm, I went and reread the Orange
Book.  I concluded, to my horror, that *nothing* in it, including an
A1-rated system, would have stopped the worm from spreading.  Being
rather new to the theoretical security game (though I'd caught my first
hackers around 1971), I asked someone older and wiser.  "Oh, no; a B2
system would have prevented it."  I asked how.  "B2 requires a thorough
search for bugs."

Worms and viruses have essentially nothing to do with the operating
system.  As long as whatever context the vulnerable application is run
in -- the mailer, the browser, the word processor, whatever -- can
write to the network or to a file, the malware can spread.

Another approach is to run such things at a lower privilege level.
(Vista does that with IE7.)  The problem is that you sometimes have to
cross the barrier; that's another way the malware can spread.
> The maddening part is that security as an industry is almost always
> forced to fight on the losing battlefields, even though we've had
> beautiful, efficient, impregnable fortresses available for many
> years.  Any crypto book from 20 years ago can show you how to send an
> unforgeable email or sign a binary, yet these notions still haven't
> widely caught on (and when they have, as in the Xbox, they get
> hijacked for things like DRM and privacy invasion).
Cryptography provides authentication and integrity.  It does not
provide authorization, nor does it provide protection against bugs.
Your suggested approach -- better OS and better crypto -- is exactly
what's failed for the last 25 years.

If you included all applications as part of the OS, you'd be right --
except that it isn't possible to secure such a code base.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to