Comments: The Goal of Security

I've been meaning to write a little blurb on the similarities between 5PM governance and good software security.

If you look at qmail (which has gone years without an exploit) and the "qmail security guarantee" page:

http://cr.yp.to/qmail/guarantee.html

it strikes me point (4) is similar to 5PM for governance.

To quote: "Move separate functions into mutually untrusting programs."

If only people who write daemons that work with TCPIP should read and implement things like this, the number of break-ins would drop like a stone.

It took openssh to be cracked into before they rushed around and implemented priviledge seperation. Why not take it a step further like DJB has?

See point (4) in the qmail security guarantee.

Anyone planning to implement a service accessible over the internet has to think like this.

Why not do that for userland programs as well - each user should have several UIDs available to them - the web browser should run under a seperate UID for instance, the JVM another. Any Java or browser exploit would not be able to touch any data. How about writing code that picks unused UIDs much like programs can pick untrusted ports above 1024. Every instance of the web browser you launch can run as another UID.

If you are stuck running what is available and are planning a web server application... seperate the web server from the database. Put the IDS logger on yet another box. Put a squid in front of the web server... the valuable stuff - i.e. your data should be the furthest from the outside network... and please use stack smashing protection and avoid bad libraries that don't implement sanity checks...

When you are using a web browser and want to check out dubious sites? Run it as a seperate user with an ephemeral /tmp as home. You can ssh back to your own box and the DISPLAY gets set automagically.

This is what brings security, and not running around trying to pretend that eveyone writes perfect code.

Cheers!

Posted by Venkat Manakkal at February 18, 2005 02:02 PM

Nice page that. Sounds like Dan Bernstein is an old timer like myself.

That's quite perceptive to relate DB's #4 to 5PM's separation of concerns! It is the same thing, effectively, except 5PM takes its lead from accounting and governance. We do exactly the same thing in our payment systems, with sometimes half a dozen different processes/daemons between the net and the backend.

Patrick, check out #7 :-)

Posted by Iang at February 18, 2005 02:40 PM

> Patrick, check out #7 :-)

Good one, yes!

(I had previously discussed the use of malloc with Ian, and in particular mentioned the special allocator I use in Fexl.)

I'm an old-timer too!

Posted by Patrick Chkoreff at February 18, 2005 10:54 PM

The trouble is that if security is the goal, you don't want an OS, you want a backhoe and a concrete mixer. That way, you can dig a deep hole, drop your computer system down it, and backfill the hole with concrete. The resulting computer will have no useful functionality, but since functionality is not a goal, it doesn't matter: it is indisputably secure, so you have done what you should have done.

Posted by John Cowan at March 5, 2013 06:58 AM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x55f1ff0ccaa8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.