Friendly and Secure Desktop Operating System

Johnson David DavidJohnson at Siemens.com
Tue Oct 28 11:30:49 PST 2003 

On Tuesday 28 October 2003 07:33 am, Daniela wrote:
> Found this link today, I thought it might be an interesting thing to
> discuss: http://irccrew.org/~cras/security/friendly-secure-os.html

"Disclaimer: I haven't done any research on this area."

Oh wonderful! This guy doesn't even know the problem domain, yet he's 
throwing out solutions. I'm currently reading "Secure Coding", because 
at least I know enough to know that I don't know very much. This book 
should be required reading for anyone working with software, from 
requirements analysis to QA, and everyone in between.

One of the points I've gotten out of the book is that some of the worst 
security problems arise not from coding, but from architecture and 
design. What he's talking about in his article is design. Just like 
bugs, the earlier they're introduced in the development process, the 
worse they are.

The reason that security problems introduced during design are so bad, 
is that they're based on erroneous or incomplete assumptions, around 
which everything else is organized. Most of these assumptions seem 
quite sensible to most people. Here's one from the book, "When a TCP 
packet has the SYN bit set, it means that the sender wants to establish 
a connection". This assumption was at the heart of the SYN-ACK DoS 
attacks of a few years ago.

Here's a classic mis-assumption of his: "What you'd need to be able to 
run any software securely is to run it in a complete sandbox." Although 
this isn't a bad idea, is completely ignores a whole class of security 
issues, namely, denial of service.

Here's another: "Word Processors... No privileges needed." Those who 
ignore the lessons of history are doomed to repeat them.

And a really bad one from his discussion: "Also note that I believe it 
would be possible to implement this in relatively short time on top of 
some existing UNIX system and maybe KDE or GNOME as the user 
interface." Security is not something that gets slapped on as an 
afterthought.

To sum this up, I think this author needs to stop pontificating, and 
start educating himself in the problem domain. No operating system was 
ever designed to be explicitly insecure. Not even Windows. He needs to 
learn from the mistakes of others, before he starts advocating mistakes 
of his own.

p.s. Not all of his proposals are bad. Heck, most of them are good. But 
I would very like to see how he would rewrite his article after doing 
some research in this area.

David

More information about the freebsd-advocacy mailing list