Dinis Cruz wrote:
> The ones that I wish were listening are Novell and the Mono project.
> The path to a type-safe platform could start there.
Following this comment made on the previous thread, here are the reasons
why I wished Novell and the Mono project where listening to that
conversation (note: an edited version of this post was sent directly to
several Novell contacts who asked me 'What is it you wish we would
listen to?' :
---------------------------------
Dear Novell
What I meant by my comment, is that there is an opportunity today (2006)
for somebody (namely a company + community) to really grab the
'type-safe' + 'sandboxing' flag and run with it.
Here is a quick analysis of where we stand today:
- Vista failed to deliver a OS based on a type-safe platform
- 99% (or close) of the .Net Framework and Java code is executed in
an environment with no sandbox (i.e. executed: a) in Full Trust, or b)
with the Security manager disabled, or c) with no verification). Given
the amount of code deployed out there, there is no chance that a real
change will occur any time soon. Currently there is no interest from
Microsoft or Sun to address this issue and invest the time, energy and
resources required to solve it.
- Microsoft failed to make the paradigm shift from Full Trust to
Partial Trust when they released v2.0 of the .Net Framework (which would
had been the perfect time to do it)
- There is good grass roots support for type-safety
- There is a growing need to create secure and trustworthy
applications (with growing support from Governments, Large Corporations
and ultimately the end users)
- Sandboxing at the OS level, like the one in Vista's 'Integrity
Level / Privilege Isolation' and in Suse's AppArmour (sorry Crispin for
not replying to your posts on the previous SC discussion about
Sandboxing (it is on my to-do-list)) will NOT prevent exploitation of
the user's assets (like for example the user's email). These techniques
are designed to 'control' and 'Sandbox' unmanaged code, which is
something that I don't believe can be done today. A short term solution
(before we get to type-safe OS) would be to have environments like these
(which do add some security protection to the OS) supported by a
managed/verifiable environment responsible for executing the
managed/verifiable (potentially malicious) code.
- Apple has an amazing OS (which I am using at the moment) but
doesn't seem to be focused on type-safe / sandboxing issues too. Apple
also seems to (like most of the Open Source community) think that it is
immune to security vulnerabilities (just look at the way they handle
security patches at the moment)
- Novell has gained a huge amount of respect for its support for the
Mono-Project and for its support for Open Source
- Basically, Microsoft has lost the plot on Security and (as Gary
McGraw says) is too focused on bugs and not on architecture. They
(Microsoft) will have tough times ahead when Vista proves to be as
secure as XP SP2 was.
- IBM has seen the future and is re-organizing itself around the
concept of 'delivering enterprise solutions on top of Open Systems and
Open Architectures'
So, like I said above, there is a big opportunity for an Open Source
project, lead by a major company and based on a solid platform, to lead
the way in the move from unmanaged/unsafe code (where I am including
Full Trust .Net code in this category) to managed, verifiable and
type-safe code (which can be safely executed in Sandboxes and malicious
activity easily detected / mitigated)
Novell and Mono fits this bill perfectly.
And it would also give mono an unique point of sell, since at the moment
it is still a 'pour cousin of the .Net Framework'.
Ultimately the goal would be to build an OS on of top of a type-safe
platform. But before that the user-land world needs to be conquered.
A lot of research and effort must be placed on how to create powerful,
feature-rich and fast GUI applications built on type-safe code. This is
something that can only be done by a large community focused on a
powerful goal: *creating secure applications for execution on
secure/sandboxed environments.*
Imagine if this idea could be developed to such a state where (on
Windows) it would be safer to execute C# applications on Mono than on
the .Net Framework itself! (another area where mono could do really well
is in Hosting of Asp.Net applications (for example based on a Linux
distribution of a LAMM environment, hosted by a VirtualServer or VMware
host))
I believe that we are watching today the limitations, of both Open
Source world (with its 'many eyeballs') and Proprietary Code (with its
Secure Development Lifecycle) to create code that doesn't contain
critical security vulnerabilities (i.e. both can't do it (with maybe
some notable exceptions)).
What is needed is a new paradigm (well not that new if you ask Gary
McGraw) that *creates a financial-model that rewards the companies that
are able to create secure applications that can be executed on secure
environments *(the idea is not to prevent bugs/vulnerabilities from
existing, but to prevent the damage caused by their exploitation).
Ultimately all source-code will have to be released and made public (not
necessarily on an Open Source format, but at least available to peer
review and external (i.e. independent) analysis) , and again here Novell
and the other Open Source development companies have an advantage.
The other major asset which the Open Source distributions have (and one
which will be crucial in the future) is the centralized distribution of
Software (i.e. packages). In the future we will need entities that
certify the security of Software applications, which in an
unmanaged-code world (for example: C++ & Full Trust .Net ) is almost
impossible to do (i.e. say for sure that Application XYZ does not
contain a keyboard hook and direct access to the Internet), but quite
possible in a managed, type-safe and verifiable world.
Of course that more CLRs (with custom GC, Security managers, Class
loaders, verifiers, etc...) will need to be build, since the
requirements of a powerful Windows Application, are very different from
an Asp.Net Form, which are very different from a Device Driver.
Looking forward to your comments,
Best regards,
Dinis Cruz
Owasp .Net Project
www.owasp.net
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000007t9h
--------------------------------------------------------------------------
