Operating systems, the security silver bullet

Hello,

Been thinking about this since a chat a while back, and it occurs to me that anti virus, IDS, IPS, firewalls et al...are really just band aids for the fact that the majority of operating systems do not really afford any great deal of security (this is not a Windows v Nix arguement, so lets not have another one).

Kernels have grown larger, everything but the kicthen sink is now in them, systems seem to require more and more services to run, and switching of a few of these will often result in one app or another worker.

So, as a result of this we have the continous arms race of attackers v defenders, viruses become widespread so we get anti viruses, operating systems have little control of the way they interact with network traffic so we have firewalls, and so on, each weakness is exploited, and for each exploit a security product is released, so we seem to be in this never ending cycle.

Now, there is of course the arguement regarding admins locking down systems etc.... but then if we all locked down our boxes who would have email? websites? application servers etc.... so system admins are forced to have boxes running services that can be compromised.

Now, it occurs to me that surely the only way to ever really fix this is to address the core technical issue (as we are unlikely to make everyone be nice to each other and stop people trying to hack/crack) which is the OS. If we can have Operating systems that have smaller kernels (you should not be able to break a system via the installation of a printer driver), real network controls (i.e. only accept traffic that meets certain requirements), are truly modular, and have security built in from the start, then surely we can eliminate the target of all the nasty things out there and so remove the need to be continually spending money on security devices which will can ultimately be defeated.

Until we have OS that operate securely we are going to be screwed (remember, everyone needs to be safe, not just the technical savvy users and the corps with unlimted funds).

Thoughts anyone? I think the closest we have to this in the current client/server environment is the BSD family, but any corrections will be welcome.

A Kernel can save but the service that runs on top of it can be unsafe. You need to learn into elevate right exploit. Those are not kernel flaws but service flaws that run on top of the kernel. Don't forget that perfect code doesn't exist because the code are written by human and human are not perfect.

The Internet and computer world is like the Far West. It's free for all. It's new in the evolution of mankind. We did error and we'll continue making error using technology at the same rate we learn from those error. Don't forget that computer security and the Internet technology are very new. They barely have 12 years old of making error and learning from them. Give it some time for those technology to grow.

Quote:

---

Now, there is of course the arguement regarding admins locking down systems etc.... but then if we all locked down our boxes who would have email? websites? application servers etc.... so system admins are forced to have boxes running services that can be compromised.

---

Who says that a locked down box (better to use the term "hardened") cannot be a useful box? Just because a service is running doesn't mean that it will be compromised. Yes, there is the risk. There are a lot of risks out there and we'll never eliminate them all but if we mitigate them (make it damn fcking hard for the script kiddies et al.), then we've made our own lives easier.

Look at the non-computer world and banks. Banks leave their doors open and have a very personable attitude towards customers. If they went your route, we'd never have a "safe" place to store our money. There is a risk that it could be robbed but they've put in safeguards (aka bandaids) to mitigate that risk. Hence, the system still seems to work.

Quote:

---

Until we have OS that operate securely we are going to be screwed (remember, everyone needs to be safe, not just the technical savvy users and the corps with unlimted funds).

Thoughts anyone? I think the closest we have to this in the current client/server environment is the BSD family, but any corrections will be welcome.

---

The question I'd be asking you is should we be relying solely on technology for the security of our networks, computer systems, etc. or should we be encouraging (teaching and educating) earlier on? Since so many kids today are "connected" would it not make sense to educate them on how to properly use the tools that they are given, rather than let them poke around.

I do agree with SDK in that the Internet and computer technology is still a relatively new concept (compared to many others around, say the car or radio). How that technology affects society and how people find new ways to use it (for both good and bad) is changing probably faster than we can deal with right now. As the society as a whole becomes more and more computer savvy (less Baby Boomers and more Gen Xers, Gen Yers, etc.), we'll probably see a shift in how secure the environment is (I can only hope and believe in this concept, although I suspect reality might be different).

I'd rather put my faith in securing the technology because of two reasons.

1) We can harden the technology, making it do whatever we want, and hence making it safer to use and more secure. We need to get off the bandwagon of backwards-compatibility, which opens all kinds of problems, and aim more for future expansion.

2) I've given up on educating people or businesses or whatever simply based on the fact that 90% of them don't want to learn, don't care to learn, and aren't going to remember anything you tell them, no matter how dangerous something they did may be. The rare 1% that does listen I go out of my way for, but the other 99% only want their compaq/dell/gateway to run faster and are all surprised when it's trojan-ridden, virus-laden, spyware-infested and finally dumps. There should be a written test that has to be passed before anyone gets to a keyboard.

I can harden the code I write, no matter how insecure the language. I cannot change the mind of a useless slacktard who refuses to do anything that takes away their convenience.

Quote:

---

Originally posted here by R0n1n
...
Now, it occurs to me that surely the only way to ever really fix this is to address the core technical issue (as we are unlikely to make everyone be nice to each other and stop people trying to hack/crack) which is the OS. If we can have Operating systems that have smaller kernels (you should not be able to break a system via the installation of a printer driver), real network controls (i.e. only accept traffic that meets certain requirements), are truly modular, and have security built in from the start, then surely we can eliminate the target of all the nasty things out there and so remove the need to be continually spending money on security devices which will can ultimately be defeated.
...

---

This similar to the chicken/egg conundrum. Secure by default? Until someone finds a vulnerability. Then you're looking for a way to plug that. Then someone finds another. You get that plugged. Then you get a new version. Yeah, that takes care of the vulnerabilities. And, introduces a few more that no one ever dreamed would be a problem. Then there is the user that doesn't know any better and opens a huge hole in your network.

Vigilance and dedication. Mitigating and accepting risk. Late nights and weekends. That's what we're all about.

Quote:

---

Vigilance and dedication. Mitigating and accepting risk. Late nights and weekends. That's what we're all about.

---

If that isn't the single best line I've ever read that has so efficiently and correctly labeled our positions....

Thanks for the answers, although I do disagree with a few of them. I think that we must accept that we are never going to be able to educate all the users, as all the users (in order to truly stop the spread viruses etc...)needs to be everyone - home and business users,which I feelis just not possible.

I guess what I am trying to get at is that if we make OS's more secure by default then surely that goes a great way to helping us out from a security perspective.

Yes MMittens a hardened box can indeed be secure, but applying the NSA requirements to a users workstation tends to make it fairly unusable to anyone other then someone who just likes to use word, its fine for locking down servers but we need security across the board.

And yes, humans are not perfect and are the ones who write the code, but surely if the uderlying structure was more secure then the affect of this could be alleviated somewhat? Yes there is likely to always be some kind of exploitable hole, but the current state of OS just begs for these things (Attacking a web browser, I think, should not lead to an OS being compromised, nor should opening a jpeg...) . So lets have an OS that really has security built into it, which would seem to require a shift away from what we currently have.

Yes we have to work weekends and nights, but wouldn`t it be nice if this was not always the case? I think having a bit more time to spend away from work might be a nice thing... and the internet and computer security are indeed fairly new, but the security principles/risks/threats are similar to those that have been around for a long time, it wouldjust be nice if for once we could learn from the past, rather then providing people with their very own Maginot lines (and yes, I admit that making a country secure by default is tricky, so the maginot line may not be the best analogy, but hopefully you get the idea).

Quote:

---

Yes we have to work weekends and nights, but wouldn`t it be nice if this was not always the case? I think having a bit more time to spend away from work might be a nice thing... and the internet and computer security are indeed fairly new, but the security principles/risks/threats are similar to those that have been around for a long time, it wouldjust be nice if for once we could learn from the past,

---

Good luck. If people learned from the past we wouldn't have robbers who are "career felons", war, famine, disease, etc. As long as the human element is there, no matter how well built a system is or how "secure" we think it is, someone, somewhere will find their way in.

Granted we are holding our breath over IPv6 and when it makes it's big appearance on the scene, widespread (I remember hearing in the late 1990s that it'll take about 10-15 years before it becomes the Internet standard). IPv6 might fix some of the problems but I still believe that as long as there is a human using the machine and that machine has flexibility to allow them to use whatever they want, then there will always be security risks that admins will have to deal with.

Quote:

---

We need to get off the bandwagon of backwards-compatibility, which opens all kinds of problems, and aim more for future expansion.

---

Vorlin, although I agree that backward-compability causes a lot of problem, i cant see a system without that. Most of "commercial-success" are based on backward-compability, where i can run my favorite game "Day of the Tentacle" on a prescott runninng Windows XP :) or i can run a cobol program, written in 1960 on current IBM Mainframe (about 40 years of backward compatibility). Companies simply dont want to rewrite all on every "new version". Period.
But IMO i think that most of the problems about security rely on:

a) bad coding quality -- companies "rush" do deploy new versions without the proper code quality analysis. MS may fit on this category, for example, in spite of the huge effort to change this behavior.

b) spread of computing systems to regular users (a.k.a. dumb guys) -- in the glory days (ive entered on IT market on those days) only "experts" could use computers. Now anyone can. But computer didnt change to a easier form for use; in fact, systems are continuing to become more complex --- but regular users simply cant follow the technology -- cars, dvd, cell phones, computers -- its a mystery for most of the ppl -

R0n1n, Most of O.S. are good enough (in the security area) nowadays. The problem is: ppl dont want O.Ses, they want APPLICATIONS. And the applications coders guys (as in your example, internet explorer) simpply dont care about security. They want to deploy FEATURES, NEW THINGS. So they open breachs on their applications, using O.S. features in a wrong way and compromise the entire system.

We, poor security officers, just patch that breaches and TRY to avoid that the application coders introduce new ones. Most of the time we just react, sometimes we can be proactive. :)

I agree, cacosapo, that bad code is a major flaw because of the rushing that goes on, but that's inherently to be blamed by the wrong group heading them up, and that's management. Management isn't concerned with "security" moreso they are numbers and that's a problem. In any project I've been part of where we had more say than they did, things went right but the minute some dumbass project "manager" had their say, **** got broke left and right, we had problems with early releases, etc etc...but they got their numbers, right? Stop letting people who're incentive-driven (like "Get this project done before this and get this bonus") lead the charge...that's one method to help prevent catastrophes.