Comments on: The End to Computer Viruses and Spyware

By: Dru

Dru — Fri, 08 Oct 2004 22:58:29 +0000

I agree with what you say, but you don't really give a great argument on the practicality front. I could emulate a 32 bit processor with an 8 bit, but why would I want to do that?

The same arguments can be made for avoiding MMU's and Security in hardware. If you think that everyone is going to just buy into a particular VM and expect that to work flawlessly, then your views of practicality are far from reality. The reality is that people can make that choice and they prefer the OS for enforcement than a language specific system.

On the capbability based system argument, I agree. Those systems are inherently more secure. I've studied those about 10 years ago. Unfortunately, they are also very inpractical. The key goal of my proposal was to introduce a practical system that can be deployed 'yesterday'. To this day, nobody has produced a shipping capability based OS that is ready for real use (even Eros)

In short, your systems would work, but they would require a massive reengineering effort to pull off. That will not happen in the next 5-10 years.

By: Julien Couvreur

Julien Couvreur — Thu, 07 Oct 2004 22:16:59 +0000

I have to disagree on a number of the points in your reply. I agree that NX is a good thing, and so was memory managment. But I disagree that it is required to build a secure system. You can have memory-safe systems without MMU (see http://www.cs.utah.edu/plt/publications/ismm04-wf.pdf ) and you can have safe executables without NX (see C#, E). In my opinion, the biggest problem with cert is that it is too much of an all or nothing, compared to capability-based security (like E, EROS,…). Because I trust Microsoft to write Notepad and Notepad is signed doesn’t mean that Notepad should have access to all my data, the network and my devices. That’s just because even though I trust Microsoft, Notepad may have a bug that makes it exploitable to do bad things. NX and MMU are good because they partition capabilities: a program can only access it’s own memory space, a program can only execute instructions in memory that is not flagged with NX… What we need is to introduce this partitionning at the software level. And just because it’s software doesn’t mean it won’t be secure enough, the same way the JVM and the .Net runtime can manage their own memory without needing help from a new memory handling chip. Why wait for hardware solutions to come tomorrow, when we should be investigating software solutions today?

Cheers,

By: Dru

Dru — Thu, 07 Oct 2004 18:29:07 +0000

Hi Julian, let me address your points.

Sorry about the 404.
It is a sign that the 'architects' out there are finally getting it with security. You need hardware to enforce proper execution. For example, where would we be without hardware memory management? We would have much more fragile systems without MMU's.
See above. Even with Type safe languages, they can be exploited. Also, if something can be done in hardware, then why not? It will 9 times out of 10 be faster than not.
Anybody is allowed to sign an executable, script, or macro if they have a trusted cert.

Data doesn't need to be signed since the hardware protection will stop that.

If the authorities actually respond to complaints then you will find that those certs will be revoked. Just like for SSL.

Sourceforge can sign your build for free.

On hydra, skynet, malware... I disagree. You will need to have trust systems to implement security. You trust Intel, so you run their processor don't you?

By: Julien Couvreur

Julien Couvreur — Sun, 26 Sep 2004 16:32:10 +0000

A couple of points: 1) Your contact page on bigunix is a 404 2) Why is the No-Execute the most interesting enhancement? 3) Why assume that you need hardware to create security architecture? The same way that you can build reliable systems on top of unreliable ones, you can have a new architecture built on top of the old one, although that needs to be carefully done. For example, C# and E are written using less secure languages. 4) Assuming a code signature scheme, who is allowed to sign executables? Do you sign scripts and macros? What if data can exploit a bug, does data need to be signed too? ActiveX are already signed but people already install some that they shouldn’t. 5) In the winners/losers list, you forgot to mention “Open Source” in the losers. Who’s paying to get the nightly builds signed?

I’d recommend watching Marc Stiegler’s SkyNet virus talk. You mentioned Hydra, a capability-based secure system, in my opionion capability-based programming languages and platforms have the most potential to fight this flood of malware that we’re seeing.

Cheers, Julien

By: Steve Dekorte

Steve Dekorte — Fri, 03 Sep 2004 21:24:58 +0000

The last time I looked into getting an SSL cert, it was just a matter of paying an expensive fee. I’m not sure how this ensures that software is virus free. If it’s just attaching a bank ID (and presuming the bank can locate the individual) then it may be useful in finding and prosecuting virus writers assuming 1. they are in a country with anti-virus laws 2. they’re software was not infected by someone else’s virus. Also, if certs are expensive, how do we prevent certs from effectively eliminating small shareware and freeware apps whose authors can’t afford such fees?

BTW, I like your article and think this is interesting stuff.

By: Dru

Dru — Thu, 02 Sep 2004 23:23:44 +0000

They could just use the same techniques that the Cert authorities use to authenticate SSL certs for web sites. There just has to be a barrier. Some may slip through, but that will be manageable and a world changing difference.

By: Steve Dekorte

Steve Dekorte — Thu, 02 Sep 2004 23:18:06 +0000

Hey Dru, How do software cert authorities know which code is safe to certify?