What are the main reasons for the vast number of defects in operating systems?

Operating system kernels are enormous (millions of lines of code), and even with a low defect rate per thousand lines, this results in tens of thousands of potential defects. The complexity is further increased by third-party drivers and extensive APIs.

How have buffer overflows evolved as a security threat?

Buffer overflows were first discussed in the NSA in 1974, with practical examples emerging in 1988 via the Internet Worm. They became widely known in 1996 with the 'Smashing the Stack for Fun and Profit' paper, and despite mitigation efforts, related vulnerabilities persist.

What are some of the historical attempts to solve security problems?

Early solutions included hardware-based memory protection (segments, paging), access control lists derived from Multics, and later, mandatory access controls, multi-level secure systems, capabilities, microkernels, virtual machines, and reference monitors.

What are the main challenges with microkernels?

Microkernels face performance issues due to high context switching overhead when crossing boundaries between user space and the kernel. Additionally, layering system call APIs, device drivers, and networking stacks onto them can negate their minimalist benefits.

How does Systrace work as a security tool?

Systrace captures system calls and canonicalizes path names to create security profiles. These profiles are simple enough to be hand-edited, offering a more manageable approach to monitoring program behavior than systems like SELinux.

What is separation of privileges, and how is it applicable today?

Separation of privileges involves dividing a service into smaller programs, running most with minimal privileges, and granting privileges only to necessary components. Postfix is a good example, performing initial mail reception as root but handling subsequent processing with fewer privileges.

What is the speaker's vision for a more secure future system?

The speaker envisions programs broken into small tasks, each running as an independent thread with its own memory space. These tasks would be restricted by reference monitors or capabilities, and the microkernel would run on a dedicated core in a multi-core architecture to avoid context switching overhead.

Why are languages like Java and C# not a complete solution to security problems?

While designed with security in mind, these languages can still have flaws. Problems like reflection in Java allow access to private methods, violating the security model. Furthermore, relying solely on language features without robust runtime restrictions can be insufficient.

Does the proposed solution address high-level vulnerabilities like SQL injection?

The speaker admits his proposed solutions do not directly address higher-level vulnerabilities like SQL injection or cross-site scripting. He suggests that input filters might manage these, but acknowledges it's a complex problem and not the focus of his talk.

Why is developing new CPU architectures challenging?

New CPU designs often fail commercially because they lack an application base. Without widespread software support, hardware innovations, even those with security benefits, struggle to gain traction, creating a vicious cycle.

What is the ultimate message about achieving true security?

The speaker concludes that if security were easy, it would have been solved. He emphasizes the need to think outside historical constraints and the 'cement block' of the past, suggesting that current approaches are insufficient and radical new thinking is required.

Key Moments

Security is Broken

Google Talks

Education6 min read71 min video

Aug 22, 2012|387 views|7

googlevideo

Save to Pod

Want to know something specific about what's covered?

We've already dissected every moment. Ask and we will deliver (with timestamps).

Key Moments

TL;DR

Computer security is fundamentally broken, not just in its current state but by design, leading to widespread compromise and a reliance on constant patching rather than inherent security.

Key Insights

Two-thirds of all desktops are owned, with malware installed, and hundreds of thousands of bots active monthly.

Buffer overflows, first discussed in 1974 and practically demonstrated in 1988, remain a significant vulnerability, even after decades of attempts to mitigate them.

Despite efforts to improve security, the top new vulnerabilities in the last five years are related to web scripting and programming errors like cross-site scripting, SQL injection, and PHP include, with no overall improvement in vulnerability counts.

Time-sharing systems, designed in the 1960s for massive mainframes, created security models (like access control lists) that are ill-suited for today's single-user, multi-functional computing environments.

Microkernels, while conceptually appealing for minimizing privileged code, historically suffered from severe performance issues due to excessive context switching, requiring 3-4 context switches for simple inter-process communication.

The presenter advocates for a 'separation of privileges' model, breaking down applications into small, independently verifiable tasks with minimal privileges, as a best practice for current technology.

Security is not just broken, it's accepted as broken

The speaker, Rik Farrow, argues that computer security is fundamentally broken and has been for a long time. He highlights that the acceptance of this broken state is the most unacceptable aspect. Evidence of this widespread insecurity includes two-thirds of all desktops being compromised, hundreds of thousands of active bots, and the normalization of monthly security patches. A particularly concerning design flaw is that web browsers, by their very nature, are built to execute remote code, making them inherently risky when visiting unknown websites.

Insecurity in depth: Layers upon layers of complexity

Modern operating systems and applications are built on layers of software, creating 'insecurity in depth.' Kernels alone can have millions of lines of code (e.g., FreeBSD with 3 million, Linux with over 5 million). With a typical defect rate of 3-6 defects per thousand lines of code, this translates to tens of thousands of defects. Furthermore, the extended use of third-party device drivers and multiple APIs means that even the OS vendor may not have full control over the code running with kernel privileges. This complexity makes it nearly impossible to find and fix all vulnerabilities. The fundamental issue remains that anything running with root or local system privileges has total control over memory and operations, making any exploit within these privileged contexts catastrophic.

Anatomy of a persistent vulnerability: Buffer overflows

Buffer overflows, a vulnerability first discussed at the NSA in 1974 and practically demonstrated in the 1988 Internet Worm, have remained a critical issue for decades. The concept became widely understood and exploited after a 1996 paper explained how to 'smash the stack.' Early mitigation attempts involved simple tools like 'grep' to find problematic functions like 'string copy' and 'get s,' and more sophisticated software like 'stackguard' which introduced canaries to detect stack corruption. Hardware solutions like 'no-execute' (NX) bits were also developed to prevent code execution from the stack, a problem exacerbated by older Intel and AMD processor designs. Despite these efforts, buffer overflows have only recently fallen from the top vulnerability spot to fourth place, supplanted by web scripting and programming errors.

The misapplication of time-sharing security models

Farrow traces modern security models back to the early days of computing and time-sharing systems in the 1960s. The goal then was to allow multiple users to share expensive mainframe resources securely, requiring protection between users' processes and their data. Techniques developed included segmentation and paging for process protection, and access control lists (ACLs) for file protection, concepts derived from systems like Multics. While these mechanisms were designed for sharing, most computers today are single-user machines. Applying the complex ACLs and multi-level security (MLS) models, originally designed for government and defense classified systems, to personal computers is a poor match and creates unnecessary complexity and overhead without solving the core security problems, especially those originating from user-facing applications like web browsers.

Searching for solutions: MLS, Capabilities, Microkernels, and More

The talk explores various proposed security solutions. Multi-level secure systems (MLS), like SElinux and AppArmor, aim to enforce complex security policies but are extremely difficult to use and configure, failing to protect users from their own web browsers. Capabilities, a model where programs are granted specific permissions to perform actions, were explored but never widely adopted, often due to lack of networking support (e.g., the Eros OS). Microkernels, designed to minimize the kernel's privileged code, faced significant performance issues due to excessive context switching between user space and the kernel. Hybrid kernels and experimental systems like Asbestos and Singularity are also discussed, with varying degrees of success and inherent complexities. Virtual machines offer isolation, but the security of the guest OS remains a concern.

The promise and peril of separation of privileges

Farrow presents 'separation of privileges' as a practical best practice for today's technology. This involves breaking down applications into smaller, simpler modules, each performing a limited function and running with minimal privileges. Postfix, a mail transfer agent, is cited as an example where functionality like listening on port 25 is handled by a privileged process, but email parsing and routing are performed by non-privileged child processes. This reduces the attack surface and the potential impact of a compromise. The core idea is to design for least privilege, especially for components that listen on network sockets, which inherently have a large attack surface.

A blue-sky vision: Multi-core processors and a truly modular OS

Looking ahead, Farrow proposes a radical redesign enabled by multi-core processors. His vision involves treating each small task (derived from the separation of privileges concept) as an independent entity with its own memory space, potentially running on dedicated CPU cores. The microkernel would be confined to one core, managed by a high-performance scheduler that minimizes context switching. Inter-process communication (IPC) would be optimized through shared memory and page mapping, avoiding data copying. This would allow for fine-grained control, where a JPG renderer, for example, could only process image data and output bits to the display, unable to access passwords or make network calls. This approach aims to address the historical performance issues of microkernels and create a system where security is built into the fundamental design of tasks rather than being an add-on.

The persistent challenge of human error and complex interfaces

Despite technological advancements, human error and the complexity of security interfaces remain significant hurdles. The presenter notes that users, when presented with dialog boxes or notifications, tend to click 'continue' without fully understanding the implications, making interactive security prompts unreliable. Furthermore, many current security problems, like SQL injection and cross-site scripting, operate at a higher level of application interaction and are not directly addressed by low-level kernel security. Farrow admits he doesn't have a definitive solution for these issues, likening the challenge to writing code without buffer overflows – aspirational but difficult to achieve for average programmers. He concludes that truly secure systems require thinking outside the historical box and moving beyond the limitations of past designs.

Mentioned in This Episode

●Products

●Software & Apps

●Companies

●Organizations

●Concepts

●People Referenced

Common Questions

The speaker notes that the same security problems persist repeatedly, and worse, society has accepted this broken state, which he finds unacceptable. This indicates a fundamental, unresolved issue in security practices.

Topics

Mindset & Self-Improvement Technology & Innovation System Design Future Of Computing Operating System Security Software Vulnerabilities Buffer Overflows Access Control Least Privilege

Mentioned in this video

Companies

AMD

Processors mentioned in relation to the difficulty of implementing no-execute stacks until recently.

Intel

Processors mentioned in relation to the difficulty of implementing no-execute stacks until recently.

Microsoft

Mentioned in relation to its Trusted Computing Initiative, security patches, and proprietary schemes for stack protection.

Google

Mentioned as a company that could potentially 'buy' a solution to security problems, and whose search function converts PDFs to HTML.

Oracle

Mentioned as a database that can be targeted by SQL injection attacks.

Apple

Mentioned as a vendor with multiple APIs and as an example of an operating system (macOS X) that is not truly microkernel-based.

People

Dennis Ritchie

Inventor of the C programming language, which included features like string copy and unbounded arrays, contributing to security issues.

Andy Osment

Co-author of a paper showing that OpenBSD has improved over time with a decline in new vulnerabilities.

Rick Farrow

The speaker, who has been involved in security since 1984 and is giving this talk due to persistent security problems.

Jonathan Shapiro

Developer of the EROS operating system, a capabilities-based system.

Eric Allman

The original author of Sendmail, who developed it as a student project in the early 1980s.

DJ Bernstein

Creator of djbdns, mentioned as an example of a developer whose work is highly respected but also personally difficult to deal with.

Aleph One

Authored the paper 'Smashing the Stack for Fun and Profit' in 1996, popularizing the concept of buffer overflows.

Robert Morris

Author of the 1988 Internet Worm, and involved in the experimental operating system 'Asbestos'.

Elias Levy

Also known as Aleph One, author of 'Smashing the Stack for Fun and Profit'.

Software & Apps

MINIX 3

Presented as the closest example of a true microkernel, running device drivers as services and incorporating capabilities.

C++

Mentioned alongside Java as a language that could potentially be used for security.

Singularity

An experimental Microsoft project, described as an experimental microkernel design where everything runs in ring zero and relies on language features for security.

Sendmail

An older mail transfer agent with multiple buffer overflow vulnerabilities discovered in 2003, highlighting the need for alternatives like Postfix.

macOS X

An operating system claimed to have a microkernel but is actually a hybrid approach, blending Mach 3 and BSD, and is not truly 'micro'.

MySQL

Mentioned as a database that can be targeted by SQL injection attacks.

mdns responder

Mentioned as a concerning example of software with a large attack surface, related to Bonjour.

FreeBSD

Cited as an example of an operating system kernel with approximately three million lines of code.

OpenBSD

Cited in a study as showing improvement over time in terms of reducing flaws and seeing a slight decline in new vulnerabilities.

CTSS

Computer Time Sharing System, an early time-sharing system developed around the same time as Multics.

Python

Mentioned as an example of a programming language with an intuitive syntax.

Harmony project

A Microsoft project where device drivers and applications run as bytecode, aiming for security through restricted code and language features.

spirit.com

The speaker's website where references and the presentation slides can be found.

Postfix

A mail transfer agent that serves as a good example of separation of privileges; it was rewritten from scratch to avoid the vulnerabilities in Sendmail.

EROS

A capabilities-based operating system developed by Jonathan Shapiro. It's considered a nice example but was limited by the lack of networking.

Bonjour

Related to mdns responder, mentioned as an example of a technology that should be compartmentalized due to its attack surface.

Snort

A tool that references CVEs for vulnerabilities.

Unix

An operating system that evolved from Multics, featuring a user/group/other permission model.

Stackguard

Software invented around 1998 that uses a 'canary' to detect stack corruption.

SecurityFocus

A platform that references CVEs for vulnerabilities.

Java

A 'bytecode' language that, despite its security design, has had security issues like reflection allowing access to private methods.

Windows

Mentioned as an operating system that uses access control lists and runs services as 'local system'.

PA-RISC

A RISC processor architecture the speaker has worked on.

GE 635

An early system that used memory segmentation for process protection.

IBM 70-95

An early system that used paging (virtual memory) for process protection.

Linux

Cited as an example of an operating system kernel with over five million lines of code.

Multics

An influential time-sharing operating system developed in 1965, from which Unix and Linux descended. Introduced concepts like access control lists.

Asbestos

An experimental operating system discussed for its data labeling and mandatory/discretionary access control features.

Systrace

A tool presented as a reference monitor that captures system calls and canonicalizes path names to create security profiles.

Mach 3

A microkernel (part of macOS X) that is considered quite large, contradicting the minimalist ideal of microkernels.

Products

Itanium

A RISC processor architecture the speaker has worked on (misspoken as 'i-64').

Intel 8080

An early microprocessor that followed the Intel 4004, mentioned as part of the lineage of CPU design.

A real microkernel project with a small lines of code, but requiring additional layers like the Linux API and networking stack to be useful.

i860

A RISC processor architecture the speaker has worked on.

Intel 4004

The first commercial microprocessor, used as a basis for modern CPUs according to the speaker.

Organizations

Mitre

The defense contractor based in Virginia that maintains the CVE vulnerability database.

NSA

Buffer overflows were first discussed internally at the NSA in 1974.

Legislation & Policy

RFC 2821

The Request for Comments standard that specifies email address formatting and limits, relevant to a buffer overflow in Sendmail.

RFC 822

An early standard for email message format, mentioned in the context of Postfix's processing steps.

Media

Unix World Magazine

A magazine where the speaker worked as a technical editor in the late 80s and early 90s, reviewing hardware.

Concepts

HTML5

The standard for web content, mentioned in the context of potential security risks when converting PDFs to HTML.

Locations

Berkeley

The university where Aleph One was teaching freshman computer science and wrote about buffer overflows.

Ask anything from this episode.

Save it, chat with it, and connect it to Claude or ChatGPT. Get cited answers from the actual content — and build your own knowledge base of every podcast and video you care about.

Get Started Free