Friendly and Secure Desktop Operating System
DavidJohnson at Siemens.com
Tue Oct 28 11:30:49 PST 2003
On Tuesday 28 October 2003 07:33 am, Daniela wrote:
> Found this link today, I thought it might be an interesting thing to
> discuss: http://irccrew.org/~cras/security/friendly-secure-os.html
"Disclaimer: I haven't done any research on this area."
Oh wonderful! This guy doesn't even know the problem domain, yet he's
throwing out solutions. I'm currently reading "Secure Coding", because
at least I know enough to know that I don't know very much. This book
should be required reading for anyone working with software, from
requirements analysis to QA, and everyone in between.
One of the points I've gotten out of the book is that some of the worst
security problems arise not from coding, but from architecture and
design. What he's talking about in his article is design. Just like
bugs, the earlier they're introduced in the development process, the
worse they are.
The reason that security problems introduced during design are so bad,
is that they're based on erroneous or incomplete assumptions, around
which everything else is organized. Most of these assumptions seem
quite sensible to most people. Here's one from the book, "When a TCP
packet has the SYN bit set, it means that the sender wants to establish
a connection". This assumption was at the heart of the SYN-ACK DoS
attacks of a few years ago.
Here's a classic mis-assumption of his: "What you'd need to be able to
run any software securely is to run it in a complete sandbox." Although
this isn't a bad idea, is completely ignores a whole class of security
issues, namely, denial of service.
Here's another: "Word Processors... No privileges needed." Those who
ignore the lessons of history are doomed to repeat them.
And a really bad one from his discussion: "Also note that I believe it
would be possible to implement this in relatively short time on top of
some existing UNIX system and maybe KDE or GNOME as the user
interface." Security is not something that gets slapped on as an
To sum this up, I think this author needs to stop pontificating, and
start educating himself in the problem domain. No operating system was
ever designed to be explicitly insecure. Not even Windows. He needs to
learn from the mistakes of others, before he starts advocating mistakes
of his own.
p.s. Not all of his proposals are bad. Heck, most of them are good. But
I would very like to see how he would rewrite his article after doing
some research in this area.
More information about the freebsd-advocacy