Simplicity and Security

A big part of writing secure software (probably the biggest part) is simplicity.

When we think about software security, the first question that we ask is, “How many different ways could this program possibly be attacked?” That is, how many “ways in” are there? It’s a bit like asking “How many doors and windows are there on this building?” If your building has 1 exterior door, it’s very easy to protect that door. If it has 1000, it will be impossible to keep the building secure, no matter how good the doors are or how many security guards you have.

So we need to limit the “ways in” to our software to some reasonable number, or it won’t ever be secure. That’s accomplished by making the overall system relatively simple, or breaking it down into very simple and totally separate component parts.

Then, once we’ve limited the ways in, we need to start thinking about “How many different possible attacks are there against each way in?” We limit that by making the ways in themselves very simple. Like a door with only one unique key, instead of a door that can take five different keys, all of which individually will open the door.

Once that’s done, we limit how much damage any attack could do if it got through. For example, in a building, we’d make any given door only allow access to one room.

All of this explains, for example, why Windows is fundamentally flawed and will never be secure, and why UNIX-based systems have a better reputation for security.

Standard UNIX has a very small number of system calls that are used to implement the vast majority of all UNIX programs out there. (Even the extended list is only about 140 system calls, though most of those are never used by the average program.) Each system call is extremely specific and does one very limited thing.

Windows, on the other hand, has a ridiculous set of system calls that are confusing, take too many arguments, and do too much.

Going up to a higher level in the system, the Windows API is massive and complex. It’s a strange beast that controls both the OS and the GUI. There’s really no equivalent thing in UNIX (because the OS and the GUI are separate), but we can at least compare parts of it. Here’s The Windows Logging API. Here’s the Linux Logging API. There’s just no comparison. It’s like a joke. There’s so many “ways in” to any part of Windows that it will never be fundamentally secure.

You might say, “Well, I haven’t had a virus on my Windows machine in a long time.” That’s not what I’m talking about–I’m talking about fundamental security. In order to have a secure Windows machine, you have to have a firewall that asks you every time a program wants to make an outbound connection. You have to have a spyware scanner. You have to have antivirus software that slows down your computer by as much as 2000%. If Windows was secure, you wouldn’t need those things.

When we design our own systems, keeping them simple is the only real guarantee of security. We keep each “way in” to the system as simple as possible, and we never add more “ways in” than we absolutely need. These are compatible things, too, because the simpler each “way in” is, the fewer we’ll actually need. That may not make sense until you think about it this way: If all actions on the system can be reduced to, say, 13 fundamental function calls, then the user can do everything with those 13 calls, even if they’re not very powerful individually. If instead we only let them do 100 different specific tasks, and don’t allow them to use the 13 fundamental calls, we have to add a new function for every specific task.

There are lots of other “ways in” to a program than just its public API, too. How the user interface interacts with the backend–that involves various “ways in”. Can we access this program’s internal structure from another program? That would be another “way in.” There’s lots of ways to apply this principle.

Any way you slice it, though, the best way to get real security in things is simplicity. We shouldn’t have to put a small army in front of our software just to keep it secure. It should just fundamentally have so few “ways in” that it doesn’t need the protection, and those “ways in” should be so streamlined and simple that they’re impossible to exploit.

-Max

14 Comments

  1. to clarify: antivirus and antispyware today essentially only protect against social engineering exploits, as there hasn’t been an unpatched “real” exploit on Windows in a long while.

    • The number of viruses and spyware that I remove from the average person’s Windows computer is enough evidence for me. Most users don’t even have the latest patches installed, either. There is no Windows computer that’s safe to run without at least some anti-spyware software (unless you’re an expert). It’s clearly not just social engineering because that would be effective on all OSes.

      -Max

      • > The number of viruses and spyware that I remove from the average person’s Windows computer is enough evidence for me.

        Of what? That users get fooled by social engineering attacks? Is that even news?

        > Most users don’t even have the latest patches installed, either.

        I very much doubt this, given that Windows defaults to automatic updates on XP SP2 and above. Even pirated copies receive automatic updates.

        > (unless you’re an expert)

        Or you have enough common sense to not be a victim of social engineering.

        > It’s clearly not just social engineering because that would be effective on all OSes.

        Well, then, what is it? The fact is that there hasn’t been an unpatched exploit in ages. So what does that leave?

        Of course social engineering works across OSes. Are you saying that non-Windows users who aren’t knowledgeable don’t get 419 scammed or phished? Both are kinds of social engineering attacks, and enticing people to install “XP Antivirus 2009” is yet another. The Windows market is targeted because that’s where most of the suckers are, simply because it’s larger.

        • > Or you have enough common sense to not be a victim of social engineering.

          Well, it’s not so much a matter of “common” sense. If on my car, a light turned on that said, “You need to stop driving the car right now,” I’d probably do it. I’m not really a car expert, I don’t know what lights I should and shouldn’t have. I suspect that most of the people reading this blog are expert enough on their computer to know what is and isn’t a real prompt, for example. Also, there are much more subtle tricks (clickjacking, etc.) that any non-expert user would fall for.

          > Of course social engineering works across OSes.

          The Mac desktop market seems to be getting bigger and bigger. I suppose we’ll see if the “Windows seems insecure only because it’s the largest target” continues to hold up. I don’t think it’s held up in terms of IE vs. Firefox, as Firefox now commands a respectable share of the market and I don’t see 18% of attacks going there.

          And of course I’m not talking about 419 scams or other things that are not purely technology-related.

          -Max

          • > Firefox now commands a respectable share of the market and I don’t see 18% of attacks going there.

            Huh? Why do you think it’ll be linear? Even at 30% it makes a lot more sense to go for the 70%, a lot of who are clueless, rather than the 30% who actually had the sense enough to download Firefox.

          • > And of course I’m not talking about 419 scams or other things that are not purely technology-related.

            But “XP Antivirus 2009” isn’t purely technology related either. That’s my basic point.

  2. Social engineering doesn’t affect other OS’s simply because they’re a small slice of the pie. I’ve never even seen a piece of UNIX or even OSX malware out there to download (although, if you’re able to run UNIX successfully, you’re probably an “expert” anyway).

    Saying that its impossible to run Windows safely without with antivirus, or that Windows can and will never be secure is just flame bait, which kinda clouds up the whole point of this article, that smaller interfaces lead to less attack surface. Sadly, that also ignores the fact that smaller interfaces can also mean you can’t do half the stuff you wanted either (or at least its often more difficult).

    Developing software from the ground up, people rarely would make the same choices twice in a row (even in one or two years, ideas can change drastically, and Windows is hauling around interfaces that are a lot older than that). Starting over from the group up isn’t really an option for most large projects though. So you do what MS is doing. You separate things apart where you can, and update them in small chunks (Vista and Win7). Or you write new APIs and let people opt in to using them instead (WPF).

    • As far as the social engineering thing goes, at least for Linux, Firefox is the major browser and it’s just not as attractive as a target as IE on Windows is, since it has much less access to the OS (though I suppose IE7 helps that a bit and IE8 will be even better). I mean, people could be writing cross-platform attacks against Firefox, but I haven’t seen any major ones.

      In terms of interfaces, the idea is to create a series of small actions that can do everything, and not to provide a lot of convenience functions unless they’re just wrappers over a series of the simple functions. More of a “building blocks” than a “buildings” method.

      There’s plenty of Unix malware, but I agree, it’s pretty uncommon that it’d be installed through social engineering as opposed to say, brute forcing SSH. The nice thing about that security issue is that you can close it up just by disabling password access (it’s a very small attack surface).

      I agree that Vista and Win7 are going in the right direction, though MS will still have a serious legacy problem (at least for the next decade or so). And I think we can all agree that many Windows APIs (particularly legacy ones) are more complex than they need to be (partially because Windows is kind of engineered to be a one-size-fits-all product, so we have enterprise-level features and APIs even on our desktops).

      -Max

      • If you’re referencing the microsoft made statement that “windows vista is the most secure OS in existence”, I got news for you; everybody that believes that is dead wrong. I myself can take complete control of ANY windows vista machine in less than 5 minutes, and -given another 3 minutes- I can execute dban (darik’s boot and nuke; it’s a hard drive wipe utility) in RAM, wipe the entire hard drive, and then remote restart the computer when it’s done and the use will have to spend several hours reinstalling windows vista in order to use it. Now, let’s compare that with windows XP; it takes roughly 18 minutes to take complete control of XP, and to the best of my knowledge, I can’t get dban onto RAM to wipe the hard drive.
        And by the way; there are some boot sector viruses that are spread just by infected computers connecting to the ‘net, so the statement that social engineering isn’t the cause for all windows computer infections is a true statement.

    • Oh, and by the way, I’d be happy to address a less sensitive subject than OS security, if you or anybody can think of another good example of the principle I’m talking about, in the software arena.

      -Max

      • MMORPGs are devices that need security built in. They can be accessed by everybody, and if you give clients to much power, hacks can be built to be used against players or for personal profit. This is bad for MMORPGs, and can cause them to fail if they aren’t all that good to begin with.

        • Yeah, that’s a good subject. It’d be nice if there was some specifically-famous insecure one that I could address, that obviously suffered from the symptoms I discuss. Do you know of any?

          -Mxa

          • I can’t help you find an MMORPG with this type of flaw in it, but then, I’m not suppose to know the various types of calls that are made, and what is in my control on the client side of an MMORPG. Maplestory was a good deal full of hackers last summer…not sure anymore though;

Leave a Reply