Usable Security

Talk about dangerous analogies! What about the following: you go to the store and buy a recipe that you then give to your butler to prepare. You’re hoping for a delicious meal, but the “trojan” recipe, rigorously followed by your butler, makes you very ill.

In regard to your “Armed Butler” analogy I submit an alternative analogy which I believe to be closer both to day to day experience and to the situation we face with running software on today’s operating systems:

You decide to hire somebody to - let’s say - landscape your garden (service your vehicle, whatever). You meet them and give them a key to the gate to your yard (key to your vehicle, whatever) in your key chain along with the keys to your house, vehicles, safe deposit boxes, luggage, office, mail box, neighbors house, etc. and then you tell them where your house is and what you want done.

Huh? Better, I believe (more Principle Of Least Authority, POLA), if you meet them and give them just the key to the gate (vehicle, whatever) and then tell them where your house is and what you want done. You keep the rest of your keys in your key chain with you. You may pay them something up front and something upon completion and ask them to leave the key to the gate under the door mat.

The former situation (give them all keys/authorities) is how we are forced to operate in today’s operating systems - e.g. Windows and Unix. This is the “ambient authority” model. It is the model under which running software acts as a surrogate for the human user that loaded and started it and enjoys all the authorities of that human user.

A better model, I believe, is the classical capability model. Capabilities are analogous to and the computer embodiment of physical keys. They are the computer representations of authority. Under the capability model whenever you run software you explicitly give it just the authorities (as “capabilities”) that it needs to do its work (POLA). For example, a text or graphics editor you give access to the file(s) to edit and any needed multiplexed input/output (e.g. display, keyboard) devices. Multimedia software packages you give access to their input (perhaps some audio/video files) and output (e.g. a rendered file or perhaps a multiplexed display window). A Web browser you give access to the Internet. Any such software can ask you for additional authorities that it may need that arise dynamically such as a needed authority to write a downloaded file. It can do so via a pop-up window that is actually asking for an authority to write and not just asking for a location where it assumes it already has the authority to write. You may choose to grant or deny or ignore any such requests just as if a service person asked for a key to your house or office.

With the capability/POLA model software is constrained by being given only the minimum set of authorities (access rights) that it needs to do its requested work. With this model the damage that software can do (e.g. as a “Trojan Horse”) is limited to what it can do with the authorities it needs to do its minimally requested work. Certainly if you had a choice with your computer authorities as you do with your physical key authorities you would not consider it reasonable or wise to give all your authorities as a system user to software that you request a limited service from.

With today’s “ambient authority” model (Windows, Unix, nearly all commercially significant systems) all software is given all the authorities of the user that runs it. With this ambient authority model any software you run is a potential “Trojan Horse” that can damage your system or give away your resources, etc. as much as you yourself can. Today’s ambient authority model is broken and is the source of most of the security malaise in today’s IT infrastructure. This model simply needs to be replaced with a model that grants only needed authorities (POLA) to the software that we run on our computer systems.

A change from ambient authority to POLA is a significant undertaking. Fortunately it’s an undertaking that can be accomplished with very few changes to the “user” interfaces that people must deal with. This change requires substantial modifications to the application programming interface to allow programs to designate which authorities should be given to other programs that they run - e.g. a shell or window manager would limit the authorities given to a text/graphics editor or a Web browser or any other program that’s executed on behalf of a user. Such a change would be expensive (not only in terms of design/programming, but also in terms of education for programmers, etc.) and so will of course only be undertaken if some way can be found of generating return from the required investment. I believe a change from ambient authority to POLA is the only opportunity that we have for a real solution to the computer security problems that have been plaguing us evermore in recent years.

A flaw with the butler analogy, I think, is that in the case of computers, everything is done through requests made of the butler (OS). All you can do is give the butler instructions and lists of things to do.

Say you tell the butler, “Follow the instructions on this list,” and hand him one of two pieces of paper. Once says “1) Buy a new TV, 2) Follow all instructions in the manual,” and the other says “1) Buy an Acme Suicide Kit, Bullets Included, 2) Follow all instructions in the manual.” (Assume these are both valuable products.)

This brings us to the real issues. Should you have multiple butlers, only some of which have a gun, and send a no-gun butler to buy the TV? Should all butlers be required to ask you “Are you sure?” before using a loaded firearm? How about before installing a new TV?

What if both pages of instructions will cause the butler to approach you with a big cardboard box and say, “This action requires administrator privileges. Are you sure you want me to execute all instructions in this box, signed by Acme Corp., whatever the consequences?” What if they’re the same box?

The analogies on armed butlers and comparisons with bridge building are dancing around what I’d characterise as a distinction over ‘goods’ to use the economics term. In ’safety goods’, we note there are models of failure that lend themselves to statistical analysis and other mathematics like statics (for bridges), as well as good testability.

In ’security goods’ this modelling breaks down. The biggest difference is the presence of an active attacker - something that no other good or science tends to worry about. Butlers don’t follow notes to kill their masters, and bridges aren’t nuilt to withstand demolitions. Statistics fails to predict, as does testability. Notwithstanding an ability to make proofs at a low level, taking proofs to a high level is fraught and hasn’t really made a mark in the real world. How does one build under these conditions?

[...] and sinker. This is exactly the type of mistaken comparison I was talking about in recent entries. Viruses are dangerous when they enter your body because they have complete physical [...]

mpe download

The Armed Butler

un mundo separado por el mismo dios mp3

The Armed Butler

asian myspace music video code

The Armed Butler