When it comes to security, every desktop computer operating system is fundamentally flawed. Why? Because any software you run has the same permissions that you do. Anything you can do, they can do too — whether you want that or not.
Speaking at the AusCERT conference on Monday, Ivan Krstic, director of security architecture for the One Laptop per Child project, says the computing industry relies on “utterly obsolete concepts and assumptions” and has “massively failed when it comes to desktop security”.
The way modern desktop security works is by relying on the user to make informed and sensible choices on things they don’t understand.
The early personal firewall software was a classic example:
A dialogue would pop up and say ‘Hi, we’ve intercepted this packet with this TCP sequence number and these flags set, and SYN and FIN are both on, and here are the destination ports and the source ports and here is a hex dump of the packet. Allow or deny? What do you think?’. Who is that protecting? It’s protecting me, but I don’t need that kind of protection in the first place.
The Apple Blog was sarcastic when they reported Krstic’s speech — I suspect because arrogant OS X users think security issues don’t apply to them — so I posted a response…
Despite your sarcasm, when you ask…
So does that mean ‘there is nothing in place to say that’ OS X’s Chess game cannot format my hard drive or turn over control of my Mac to third parties?
… yes, you’re right on the money. Krstic is absolutely correct. This is exactly the “trust model” of every desktop operating system currently in use.
Software like Minesweeper in Windows, Chess in OS X or whatever — everything from Adobe Photoshop and Microsoft Office to that cute little widget you just downloaded from… who? — are supplied as pre-compiled binary programs. Unless you reverse-engineer them and do a complete audit, you have no way of knowing for sure what they do. Not 100%.
Even then you have to be really good at software auditing to know you’re not overlooking some trick. And you have to audit every software library they call. And, if you want to be completely sure, audit the microcode on the processor chip while you’re at it.
When you run any software, you’re trusting the author to do only what they claim they will do.
There is no global auditing program to ensure software does what it says and only what it says. In any event, how can you know whether the file you just downloaded is the same one that was audited?
And, despite the “I’m more secure than you” arrogance shown by so many OS X users, there’s nothing about OS X that makes it any different to Windows in this regard: run a program, and it runs with the same privileges as you have.
At this point open-source advocates will say that they have the source code so they’re OK — but honestly, when was the last time you read through the source code before compiling and running a program?
You’re wrong about one thing..
Chess in OS X can’t format my drive without my knowledge – it’d have to ask for for me to authenticate and authorise it to do that.
There is a *lot* different to windows users: my default user on OS X doesn’t have root privileges, and I’d have to do a lot to grant those privileges to that account them. There’s a lovely simple escalation system that allows me to allow specific processes to be granted higher privileges, but they need to re-request that each time they’re run.
In windows (even in Vista), there isn’t this level of protection. Most people using desktop Windows run as Local Admin, or an account with equivalent permissions. UAC attempts to solve this, but my understanding is that it doesn’t do a very good job – even MS have admitted that there are plenty of ways around UAC, they never intended it to work as advertised, just to get people used to that style of interruption.
So yes, although processes on both unix-style systems (including OS X) and on Windows systems that I run can do anything I can do – there’s a big difference between what a standard user on a windows machine can do vs. what a standard user on a unix-style system can do.
That said. As an admin, my usual assumption is that if someone has physical access to a machine, they own that machine. Preventing remote users from doing things I don’t want to the machine is a workable problem, preventing local users from doing things is… well, I can raise the bar, but ultimately there’s not a lot I can do.
(shell access, for this purpose, counts as local access).
So.. yes, even on a unix-style machine, I assume that anyone who has shell or console access could take advantage of local exploits and take control of the machine. That would have to include programs I choose to run taking advantage of those exploits and taking control of the machine..
The only difference I can cite here without looking foolish is the inherent extra difficulty in taking advantage of an exploit to escalate privileges vs. taking advantage of a system that’s designed to give me too many privileges to start with.
Wait, maybe I do look foolish anyway…. damn 🙁
@Zhasper: Your specific correction about formatting hard drives in OS X is correct — thank you! And yes you’re right about the level of fucked-upness in Windows compared with unix-based systems like Linux and OS X.
But if I read the reports of Krstic’s speech correctly — and if my brain is working correctly — this is all still just a matter of degree.
You and I are so far to the right-hand end of the bell curve in terms of understanding these issues that our own experiences are effectively meaningless.
What matters is how Geoff and Sarah Williams running their family business operate their computer. And in their case, all these dialogs asking permission are nothing but security theatre — because they simply don’t understand the questions being asked.
Yes, agree that it’s just degree, and for the average user it’s such a fine distinction as to be meaningless.
I don’t know that we’re all that far to the right though. I have a lot of blind faith in OS X to be correctly asking me when it wants to elevate privileges, and I don’t think I have the source code to check that even if I wanted to.