Date: Tue, 28 Oct 2003 11:29:10 -0800 From: Johnson David <DavidJohnson@Siemens.com> To: advocacy@freebsd.org Subject: Re: Friendly and Secure Desktop Operating System Message-ID: <200310281129.10669.DavidJohnson@Siemens.com> In-Reply-To: <200310281533.26611.dgw@liwest.at> References: <200310281533.26611.dgw@liwest.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 28 October 2003 07:33 am, Daniela wrote: > Found this link today, I thought it might be an interesting thing to > discuss: http://irccrew.org/~cras/security/friendly-secure-os.html "Disclaimer: I haven't done any research on this area." Oh wonderful! This guy doesn't even know the problem domain, yet he's throwing out solutions. I'm currently reading "Secure Coding", because at least I know enough to know that I don't know very much. This book should be required reading for anyone working with software, from requirements analysis to QA, and everyone in between. One of the points I've gotten out of the book is that some of the worst security problems arise not from coding, but from architecture and design. What he's talking about in his article is design. Just like bugs, the earlier they're introduced in the development process, the worse they are. The reason that security problems introduced during design are so bad, is that they're based on erroneous or incomplete assumptions, around which everything else is organized. Most of these assumptions seem quite sensible to most people. Here's one from the book, "When a TCP packet has the SYN bit set, it means that the sender wants to establish a connection". This assumption was at the heart of the SYN-ACK DoS attacks of a few years ago. Here's a classic mis-assumption of his: "What you'd need to be able to run any software securely is to run it in a complete sandbox." Although this isn't a bad idea, is completely ignores a whole class of security issues, namely, denial of service. Here's another: "Word Processors... No privileges needed." Those who ignore the lessons of history are doomed to repeat them. And a really bad one from his discussion: "Also note that I believe it would be possible to implement this in relatively short time on top of some existing UNIX system and maybe KDE or GNOME as the user interface." Security is not something that gets slapped on as an afterthought. To sum this up, I think this author needs to stop pontificating, and start educating himself in the problem domain. No operating system was ever designed to be explicitly insecure. Not even Windows. He needs to learn from the mistakes of others, before he starts advocating mistakes of his own. p.s. Not all of his proposals are bad. Heck, most of them are good. But I would very like to see how he would rewrite his article after doing some research in this area. David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310281129.10669.DavidJohnson>