Peter da Silva (peterABBNM.COM)
Thu, 7 Oct 1999 02:25:52 GMT
In article <199910041952.TAA23040melona.complex.is>,
Vesselin Bontchev <bontchevCOMPLEX.IS> wrote:
> This problem cannot be resolved in a secure way. Sure, the program could
> keep its config files encrypted. Sure, it can use some kind of checksum
> on them and check for unauthorized modifications. But the point is - an
> attacker can *always* circumvent that.
Actually, that's not true. The operating system can, step by step, prevent
any access that can lead to the virus patching any executable. You can draw on
any number of sources... start with the Burroughs A-series operating system
where only trusted programs could *create* an executable in the first place.
Any other program would be refused or (drawing from System V UNIX) cause the
OS to remove privileges necessary to execute from that program. Another step
back, you can limit writing to executables to a software installation *mode*
that requires you to drop out of normal program execution (like the 4.4BSD
security levels). For software installation, you can use cryptographic
authentication. Microsoft can require that software vendors be bonded before
being provided keys.
Each step makes the system less convenient to use, but more secure. And yes,
you could devise more and more complex schemes for getting around these
restrictions... but long before you reach the "screaming with agony because
the security sucks so badly" stage you've made virus propogation so slow it's
simply not interesting.
Just preventing writes to shared executables when you don't have special
"installation" privileges enabled... and only letting those be enabled through
the secure escape sequence (Control-Alt-Delete)... and dumping any active
content mechanism that doesn't involve a sandbox... would turn viruses from
a major problem to a rare and occasional annoyance.
(The presumed Windows 2000 solution... having a watchdog that finds changed
files and puts them back... involves such a fundamental misunderstanding of
the underlying problem that I was completely stunned at the idea that anyone
would seriously contemplate it lt alone implement it)
I agree, the application can't watch its own security, but the TCB can...
that's what the TCB's for.
-- In hoc signo hack, Peter da Silva <peterbaileynm.com> `-_-' Ar rug tú barróg ar do mhactíre inniu? 'U` "You are trapped in a maze of screens and ssh sessions all alike." "It is dark, and you are likely to log off the wrong account." -- Nep.
This archive was generated by hypermail 2.0b3 on Thu Oct 07 1999 - 14:52:40 CDT