Schneier on Security

Nick P • November 11, 2015 3:01 PM

@ Anura

It would be nice and I’ve encouraged them to do the same. They did at least fund commercial and academic development of high assurance security back during Orange Book days. They still fund a lot in academia with prototypes sometimes released for public use. However, a lot of it gets locked up in spin-off companies or patents due to greedy universities. Europe’s recent attempt, a similar demonstrator, was Verisoft. It produced a verified instruction set, compiler, microkernel, small OS, and some applications with top-to-bottom correctness argument. U.S. projects like crash-safe.org and U.K.’s CHERI team are doing something similar with clever mechanisms.

I doubt it will happen in general, though. That’s despite it being one of the best routes to better infrastructure. Besides, it probably would turn into another corrupt form of spending benefiting contractors paying bribes. 😉

@ Earl Boebert

You’re definitely onto something. As I pointed out here, hardware of the past was configured to protect key primitives with plenty of efficiency. The part your off on is putting it on Intel. It was actually the markets themselves that demanded the insecure constructions we have today. They also punished most companies that dared fight against it, including Intel.

It started with computers being so expensive. The originals were just calculating machines you may remember. The IBM System/360 and Burroughs B5000 were both designed around the same time to define business computing. Burroughs had a great architecture for security for its time, even better than today’s in critical ways. Businesses demanded these machines get faster, get cheaper, and maintain backward compatibility. The way to do it, as Brian Snow sagely observed in first link, was to share as many physical resources as possible (defeating isolation). The other side effect was removing bottlenecks the market didn’t care about (eg safety protections) while differentiating on hardware by accelerating what they were using (eg see mainframe & x86 chip family). The result was a strong, consistent push away from secure chips/OS’s and toward cheaper, faster stuff compatible with insecure constructions they were building.

To their credit, both Intel and IBM tried to break the cycle to create more robust architectures. Comp Sci had already figured out by the late 70’s that large software demanded languages suited for safety/maintenance, mechanisms for isolating faults, protection of key OS software, and so on. IBM’s answer was two-fold: tells customers to continue spending money on profitable mainframes (haha); buy a revoluationary System/38 otherwise and/or for branch offices. That succeeded thanks to compatibility with IBM stuff and overall great design. True to my meme, market push for “faster and cheaper” led them to remove capability-secure hardware in place of POWER architecture in the successor called AS/400. Still around as IBM i. So, it’s the only successful capability architecture in business and proves the future-proofing approach described in the link.

Intel wasn’t so lucky: iAPX 432, while brilliant, failed in the market despite 100 man-years of work invested. The chip was too slow due to its complexity & process node limitations of the time. Subsequent papers showed design alterations could’ve knocked out many of those delays but too little too late. Also refused backwards compatibility with prior processors, language, and OS in an attempt to use only most robust and maintainable components. Sold almost nothing and market canned it. Intel still wasn’t done, though.

Next was BiiN with Siemens. It was a simplified iAPX 432 for parallel and fault-tolerant processing with RISC processor. Market rejected it, too, at around $1 billion loss. That’s despite i960 CPU having a nice combo of simplicity, speed, fine-grained isolation, support for prior OS’s/langs, fault-tolerance, and lockstep. Personally, I think they should revamp it and push it more for safety-critical embedded which it had successes in. See BiiN Architecture Reference Manual in External Links of i960 if you’re interested in its features. Still supported for legacy apps and by Green Hills tools IIRC due to use in F-35, etc.

Next they tried a straight, UNIX/Win/C/C++-compatible, RISC chip. That was Itanium. Biggest failure was the gamble on VLIW, which didn’t pay off. Otherwise, though, it got rid of lots of x86 baggage, let you map any model to it given it was RISC + tons of registers, and still had good extensions for security. They got buy-in from top names in databases, supercomputers, legacy UNIX’s, and so on. Although Secure64 built a secure OS on it, market as a whole rejected it in favor of Xeon’s that sped up legacy x86 while maintaining most of its problems. Cost was at least $300+ million but probably more than they said.

Conclusion: Intel has probably invested more into alternative, safer architectures than any other company. Market consistently rejects them for the same reasons of resisting change, fastest, and cheapest. The best bet at this point are modifications to a legacy ISA that let one run and protect legacy applications while using better methods on new projects or individual components. There’s a lot of work in that such as CHERI or Hardbound. For clean-slate, architectures like SAFE or SSP have strong advantages. Waiting on industry adoption. They’re not eager to repeat Intel’s mistakes, though. 🙁

@ Daniel

“If the kernel bug is detected”

Most people that build kernel bugs don’t design them to be detected. People weren’t even sure NSA was bypassing or breaching Linux kernel until leaks said so. Enough said. TAILS also doesn’t have a good track record with quite a researchers finding problems without a huge investment in time or money.

@ jdgalt

“Where can I get Spengler’s improvements?”

grsecurity has been available and improved on for some time. Enjoy!

@ Fazal

“The only OS that has ever been validated using formal methods is the seL4 microkernel”

There were actually many OS’s validated using formal methods back in Orange Book days. They usually stoped at the design but had a near 1-to-1 correspondence with source code functions. PSOS got the trend started IIRC. GEMSOS (see sections 4, 6, 7, 8) and LOCK are also good examples. The VAMOS microkernel of Europe’s Verisoft project was formally verified for correctness at code and assembler level with model-based proof and simulation. seL4’s contribution was using full, theorem-prover approach to verify correspondence of a high-level design (Haskell), a low-level implementation (C), compiled representation, a security policy, and correctness criteria. A major achievement that exceeds EAL7 requirements on development but plenty was certainly done before it.

“As for government design, in the post-Snowden era that would automatically disqualify the OS for consideration.”

They’d be fools to do so. What matters is being able to review the design and its assurance argument. Most methods for high security were invented with U.S. military or government funding. Governments here (U.S.) and abroad have been main sponsors of every improvement computer scientists have made. Origin doesn’t matter so much as ability to vet the proposal or product for security. I’m for one grateful to U.S. government and even NSA for what good work they did in the past and are still doing (eg DARPA, NSF, even NSA a tiny bit).

All the crap on the SIGINT side? Yeah, I’d be fine with that all going away. It’s why I evangelize highly-assured INFOSEC instead of crap like Linux, Windows, C/C++, x86 that makes their job easier. Funny how much anti-NSA side leverages what aids their enemies. 😉

“I use OpenBSD for my firewalls and Illumos for app servers. ”

Smart move if one is worried about kernel 0-days. They probably have the least.

@ Jack Dodds, Tom Bortels

“What the critics are complaining about is that Linus Torvalds will not use his influence to promote their code. That is, they want Torvalds to use his own reputation to sell what they can’t sell on its merits.”

It has been done many times with merits proven plenty. Linux and some distro’s even occasionally adopted methods those teams pioneered. Mostly, they ignore them and tell them to get lost while letting the 0-days pile up.

Meanwhile, many teams in academia keep producing ways to secure kernels like Linux with little takeup and even report 0-days they find with static analysis tools. Lots of 0-days. They take and fix those but no change in proactive approach leveraging such things. Linus and Linux community, outside security-focused distro’s, don’t care about security in practice. They actively fight it even if one forks and codes up an improvement.

Clive explained what happens well above and we’ve seen lots of companies/projects tank from such forces. I think a handful remain that are mostly disconnected from core Linux.

@ Doug Coulter

re cheesy software on kernel being big problem

That’s true that the reporting wrongly ties the kernel with poorly-written apps on top of it. That’s unjustified. However, the kernel has had plenty of CVE’s that were easily prevented by diligence and nation-states currently have attacks on it. So, it’s worthy of its own criticism.

re security of other software

“Yet even this site has members who want someone else to provide huge inputs that cost money to harden what’s already essentially the hardest part”

I’d rather toss it but they won’t do that. 😉 It’s not an either or situation, though.

The kernel is the main part of the TCB with 0-days that can bypass everything unlike user-mode which can be contained with MAC, compiler transformations, jails, etc. Assurance argument requires they… anyway they can… dramatically improve assurance of kernel and drivers if not isolate those components away w/ microkernel architecture. In parallel, people can work on the other components which have all kinds of problems as you said & are frankly easier to improve than OS kernels. There’s actually a ton of work on both in Comp Sci with stuff regularly submitted to Linux (Saturn team alone found 100+ bugs) and published for OSS to use/improve (see SAFEcode, Softbound + CETS, Code-Pointer Integrity). Little uptake by either despite tools getting easier and easier to use… even automatic. Overhead is lower than ever, too, even though significant.

” Adobe flaws”

I do agree that much of low-hanging fruit is in user-space with desparate need for work. Adobe is an interesting example, though, that illustrates resistance we face on major software instead of toy, FOSS projects.

Just getting Adobe’s stuff into Linux distros was an uphill battle. I can only imagine the difficultly of (a) convincing them to rewrite their stuff in a way we prove is better or (b) a clean-slate implementation that’s backward compatible, OSS, and uses modern security tech. However, we both know hackers love to cheat around obstacles: many teams developed methods that protect binaries like control-flow integrity that they applied to versions of Adobe software much like they did for Linux. They showed how they stopped or contained real vulnerabilities or attack classes. Neither Adobe nor Linux have adopted or cloned such methods unless the Adobe sandbox is one of them. Results suggest it’s not or they chose unwisely. No push from FOSS community on this outside requests for basic sandboxing.

Not sure if it’s a demand or volunteer problem for stuff like this. Been blaming demand so far.

@ Anoni

“One more point: If Linux is so insecure, why do I constantly read about bugs in Windows but almost never in Linux?”

Because you’re probably reading media outlets with either a pro-Linux bias or whose desktop OS market has around 90% Windows boxes with attacker focus that follows. Nonetheless, post-SDL & hacks of NT/2000 days, Windows has a record low of 0-days being discovered due to combination of quality improvements and most low-hanging fruit gone. Although I prefer Linux, the CVE’s and reports from bug hunters show thousands of flaws discovered that might have resulted in code execution. By 2015, NVD’s numbers showed Windows was ahead in vulnerability metrics (38 WinServer vs 119 Linux kernel).

They’re both monoliths with MB in kernel code written in unsafe languages, though. So, they’re both bad designs. It’s why they need to apply the best vulnerability mitigation tech possible to it or replace with with more secure architecture. I’ve given examples above. Two more for fun. See how one side tries to make security & reliability easy by default while the other makes it hard even for elite developers? Monoliths (and Linux) refuse to join the former camp.

Nick P • November 12, 2015 2:01 PM

Real, security advantages of popular OSS such as BSD or Linux

1. Source code is inspectable and modifiable. Contrary to wide believe, this provides no immediate advantage whatsoever to security. What it represents is potential that can be realized when someone steps up to review, improve, or extend that source. That potential is still a real benefit given it’s the foundation for others.
2. Many eyes argument as applied to debugging. Users spotting problems might submit detailed bug reports. With both source and those, these problems might be fixed at a faster rate than others. Many eyes might fail for security in general but it’s especially effective here. Any potential vulnerability that is also a user-visible bug might get it noticed and fixed. Past that, OSS track record isn’t much different from commercial in terms of quality.
3. Widespread hardware support. Enemies target specific code on a specific ISA. That code might be an app, the OS, drivers, or firmware. I advocate taking advantage of this by Security via Diversity and Security via Obfuscation. With diversity, a problem in one implementation of a standard (eg SSL, POSIX) kernel might not be in another. Diverse hardware/software combo’s can reduce risk as such. Further, everyone using one combo (eg Win/x86/ARM) creates a monoculture that lets one attack work on all with no further investigation or work. Obfuscating what you’re using while picking among many hardware/software combo’s increases odds that their attack (a) won’t work or (b) will be detected as unusual crashes or network activity. So, the portable and OSS systems have an advantage here.
4. Control over kernel and user-land attack surface. Solutions such as Windows Embedded do let one strip out much of what they don’t need. However, they control the cut-off point for that in terms of what’s visible and what’s achievable with reasonable resources. Projects like Linux From Scratch, kernel config tools, and Poly2 take advantage of OSS’s potential by (a) letting you strip unneeded kernel functions and (b) letting you decided exactly what you want above it. This can dramatically reduce number of 0-days in the system along with providing early warning signs of attack when non-existent functions get called and sound alarms instead of activate.

5. Ability to harden kernel against attack. The best security approaches usually require the source to provide the best balance of protection, compatibility, and performance. Unsurprising that many academics, individuals, and companies have modified OSS software to improve its security. These included everything from compiler transformations to hardware-based security to mandatory access controls. As stated above, these rarely go anywhere and OSS projects often fight against them. Nonetheless, the potential exists and occasionally works out in practice in a way that closed-source, legacy OS’s virtually never deliver.

6. Easier re-engineering of existing software. On top of “many eyes for debugging,” Eric Raymond also identified another benefit of OSS that comes from its nature. Most features start out as an itch someone wanted to scratch for their own needs or fun. Lots of those means tons of code out there at varying stages of completion. Like ESR did, the next developer is likely to get ahead further in OSS by having a good starting point forking a prior project. That let’s one avoid many unknowns the project might have already tackled. Further, many complete and document projects will exist for other needs that might simply be re-engineered for security/quality. Many automated tools exist as I listed in my first post.

7. All of this can happen with less risk of lawsuits. The standard OSS licenses eliminate the kind of liabilities that come with modifying or remarketing proprietary software. Groups like BSA are very likely to come after companies over licensing payments, even hiring informants. Use of OSS requires nothing at all with redistribution requiring no real burden in most licenses. Even GPL just requires release of source upon distribution. FSF usually issues warnings to violators rather than do highway robbery with legal teams. Overall, the legal risk of OSS w/ standard licenses is much lower than proprietary.

8. Support. Both companies and communities are more likely to support the effort. If it’s a major project, this can mean an increase in innovation, bugfixes, and even product/project-specific funding. The companies that offer paid support for these often deliver higher satisfaction to customers because the customers are their core business rather than an afterthought from licensing revenues. Nonetheless, the support level should be assessed on a project-by-project basis due to variances.

So, there are some concrete benefits of OSS over proprietary platforms. This includes, but is not limited to, Linux. They range from technical to legal to political. Anyone pushing OSS should focus on these real benefits instead those that don’t exist or misleading statements about competition. After all, who can argue against real concrete benefits. At this point, the discussion becomes one about which open-source approach is best suited to solving the problem at hand.

Hence, my analysis of Linux and its community against competiting approaches in terms of achieving its security objectives. That analysis showed problems all over with plenty of room for improvement. That causes me to call out Linus or the Linux community to recognize and respond to those issues. This isn’t to say Linux has no security benefit. It simply is nowhere near where it needs to be if people want to claim it’s secure against even skilled blackhats. Much less nation states. It’s on them to get it there given other projects and products have already amply shown how to do that. Linux community so far is simply unwilling to take those steps.

Nick P • November 12, 2015 4:25 PM

@ Grauhut

Oh definitely many leaks in the newest ones and for who knows what nefarious reasons. I always told people the character of an organization is very important. Microsoft, IBM, Oracle… all organizations of poor character known to abuse or exploit their users in inexcusable ways. Many were stuck with Windows so I just told them to use Windows 7 with certain stripping, hardening, and other security advice. Otherwise, alternative desktop OS’s are good enough for business is one is using portable apps. Specific Linux desktops on pre-tested hardware are a much better deal. I plan to investigate PC-BSD soon, as well.

The safest bet, if 0-days are the concern, is probably an OpenBSD-based desktop with most minimal and security-focused components on top. Linux is simply too inclusive, fast-moving, and focused on features to maintain code security required. In effect, they and Google’s Android are becoming the new Microsoft in the two categories. History repeats.

Least there’s new projects starting from the kernel up with much better TCB’s and odds of damage containment. Hopefully they get some momentum.

Nick P • November 12, 2015 5:36 PM

@ Dirk Praet

Holy crap, I didn’t know it was that bad! Gotta love all of those that say it nets root, requires no real access ahead of time, and compromises every part of CIA triad. Must have been seriously complex stuff nobody could’ve prevented with code audits, compiler transforms, or a safer language w/ checks on. (looks closely) No bounds check, “multiple integer overflows,” “buffer overflow”… oh dear, it’s the low-hanging fruit that’s been preventable for over a decade.

I’ve seen secure coding and… that… ain’t… it…

Nick P • November 14, 2015 9:22 AM

@ Grauhut

Ahh, that makes more sense. The Z400 has CPU specs that should be fine with any vanilla BSD or Linux unless doing heavy stuff. Nice evaluation strategy, too. People taught me over a decade ago that trying to benchmark on old hardware is a good indicator of efficiency and robustness.

Another reason to collect junkers. Got Core Duo’s, P4’s, “Athlon-XP’s,” PPC G4’s… all in varying states of usability to be sure. Worst case I use them for burn out runs of input validation, compilation, password cracking, whatever. Better a shit box die than a good one.

Note: You could squeeze even more efficiency out of your setups if you went back a little further with a PA-RISC, HP 9000. 😉

@ Figureitout

Yeah embedded and browsers are good examples. Especially browsers. IIRC, Google’s GWT was originally made to try to smooth over the differences between browsers. It wasn’t smooth haha. There’s 4GL’s and stuff doing a lot better now. Yet, it’s still a nightmare. I’m sure Microsoft’s EDGE work will add to the fun.

@ Clive Robinson

That puts us in more agreement then. 🙂