On Wed, 2 Jan 2008 21:26:47 +0000 (UTC) Jason <[EMAIL PROTECTED]> wrote:
> On the other hand, writing an OS that doesn't get infected in the > first place is a fundamentally winning battle: OSes are insecure > because people make mistakes, not because they're fundamentally > insecurable. > ~~20 years ago, after the Internet Worm, I went and reread the Orange Book. I concluded, to my horror, that *nothing* in it, including an A1-rated system, would have stopped the worm from spreading. Being rather new to the theoretical security game (though I'd caught my first hackers around 1971), I asked someone older and wiser. "Oh, no; a B2 system would have prevented it." I asked how. "B2 requires a thorough search for bugs." Worms and viruses have essentially nothing to do with the operating system. As long as whatever context the vulnerable application is run in -- the mailer, the browser, the word processor, whatever -- can write to the network or to a file, the malware can spread. Another approach is to run such things at a lower privilege level. (Vista does that with IE7.) The problem is that you sometimes have to cross the barrier; that's another way the malware can spread. > > The maddening part is that security as an industry is almost always > forced to fight on the losing battlefields, even though we've had > beautiful, efficient, impregnable fortresses available for many > years. Any crypto book from 20 years ago can show you how to send an > unforgeable email or sign a binary, yet these notions still haven't > widely caught on (and when they have, as in the Xbox, they get > hijacked for things like DRM and privacy invasion). > Cryptography provides authentication and integrity. It does not provide authorization, nor does it provide protection against bugs. Your suggested approach -- better OS and better crypto -- is exactly what's failed for the last 25 years. If you included all applications as part of the OS, you'd be right -- except that it isn't possible to secure such a code base. References: http://www.csl.sri.com/users/neumann/insiderisks06.html#196 http://www.cs.columbia.edu/~smb/papers/sub-browser.pdf http://vx.netlux.org/lib/vtd01.html http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]