« Zaptastic Author Misses the Point
Netscape 8: More Security Choices »

Microsoft’s Folly

May 26, 2005 by Ping

Adam Shostack mentioned the previous post (Hi, Adam!) and noted that Microsoft is “aggressively promoting” the myth that software is unconstrainable.  The first of their so-called Ten Immutable Laws of Security says

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.

Totally false.

The purpose of an operating system is to manage resources.  That necessarily includes limiting access to resources.  Enforcing the falsehood of Law #1 is a primary goal of operating systems and of computer security.

Coincidentally, the explanation of this “Law” abuses the type of real-world analogy I recently described.

There’s a nice analogy between running a program and eating a sandwich.  If a stranger walked up to you and handed you a sandwich, would you eat it?  Probably not.  How about if your best friend gave you a sandwich?  Maybe you would, maybe you wouldn’t—it depends on whether she made it or found it lying in the street.

A sandwich is not like a computer program at all.  When you eat a sandwich, you are physically ingesting it and bringing its contents into your bloodstream.  There’s no reason that programs should be given that kind of pervasive authority by default.

The “Laws” were written by Scott Culp, the program manager of Microsoft’s Security Response Center.  They have been around for a while, and what a pompous title they have!  “Laws,” eh?  How magnanimous of Culp to decide that he should lay down the law.  And if calling them “laws” isn’t enough, he labels them “immutable,” as if lies can be made true merely by forceful assertion.  You could say that Windows is designed to make Law #1 true.  Indeed, things would be pretty nice for Microsoft if Law #1 were true, since it would allow them to escape a great deal of responsibility.

It’s disappointing that a security manager at the world’s largest operating system company is so badly misinformed about both operating systems and security.  Keep in mind, security is supposed to be Microsoft’s “highest priority”.

This entry was posted on Thursday, May 26, 2005 at 12:30 under Opinions. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.

Richard M. Conlan wrote:
May 27th, 2005 at 05:30

To be fair, according to Writing Secure Code (ISBN: 0-7356-1588-8) those “laws” were written midway through 2000. At the time, most of the general public were running Win9x, and in Win9x that assertion IS basically true. Further, in practice, even though people are now running Win2k/XP, they tend to run with administrative privileges, so, the assertion tends to remain true.

Now, I do agree with the point you are making as well, that the assertion is hardly a “immutable law”. My point is merely that in practice the statement is entirely true for the vast majority of computer users, and that if people tended to abide by that “law” then the number of security incidences would be much lower than it is now. This isn’t the same as the computers really being more secure…and there is a fine line between getting people to adhere to a principle because it is currently necessary and having them believe that it is inherently necessary/unavoidable…but at the moment general computer users would be safer if they believed this fiction.

Reply to this comment
 
Kragen Sitaker wrote:
May 29th, 2005 at 01:03

Mr. Conlan: General computer users will be safer if they don’t believe this fiction, because believing the fiction prevents them from seeking more secure operating systems and prevents them from blaming the makers of insecure operating systems for their plight. Pretending that this is an “immutable law” is just a way to shirk responsibility.

Many computer users now have the choice of using operating systems (MacOS or Linux, notably) where that law is true only for some users.

Reply to this comment
Richard M. Conlan wrote:
May 29th, 2005 at 03:07

MacOS and Linux only offer this ability if they are used correctly. The same could be said for Windows. A Windows user who chooses to always be Administrator will just choose to always be root in MacOS and/or Linux. There are many flavors of Linux where the only account created during installation is root, and therefore the general user that accepts defaults will use root. (I am not sure of the particulars of OSX…if I remember correctly it is actually a pain to actually be able to login as root in OSX…which is definitely a good thing…but may confuse the user.)

Further, there is the problem that MacOS and Linux often just provide a level of abstraction - prompting the user for the root password as necessary. If the user just enters this automatically whenever prompted, then the same security problems apply.

Really, the “law” could be refined to something more technically accurate such as “it is potentially unsafe to run any software you don’t trust”, but that is just saying the same sort of thing in a more subtle way. To truly escape the realm where the “law” is at least somewhat applicable requires something along the lines of MAC, such as SELinux.

And, while I agree that it is a good thing if the user understandles the distinction between the current reality of the principle and the fact that it is rather avoidable, that would be great. And, in the long run, users will be safer this way and therefore we should all work towards making that distinction clear. However, 1) most people don’t “choose” their OS at all, but use what comes with their computer, and 2) whatever choices might make for their home computer, they are still often going to be stuck with systems not of their choosing, such as Windows, in their workplace.

The problem with overly castigating the statement or phrasing it as “totally false” is that the general user may infer that all software is equally safe to run, which simply isn’t true in the majority of computing environments.

Reply to this comment
 
 
Nathar Leichoz wrote:
November 8th, 2005 at 03:27

Whether the “law” is true or false depends on whether you are analysing it theoretically or practically, and whether you are treating those laws as architectural laws or as security laws.

In a theoretical sense, your talk about well-managed resources refutes it. But in a practical sense, we know that that “goal” is unfeasible to the extent that there is a trade-off in utility and speed. Most OSes (even OS X) somewhat compromise that goal to achieve ease-of-use and user productivity.

As an architectural law it is false, as you indicated by the primary goals of an OS. But as a security law it is true, since you need to protect yourself against the worst-case-scenario. You never know if a particular OS feature is poorly designed and is the weakest link or when a bug in the system will compromise your computer.

My interpretation of Scott’s laws, particularly from the use of analogies and the cute phrase “a bad guy”, is that he’s trying to write a though-provoking piece just to get novices aware that security is not a walk in the park.

Reply to this comment