In my recent exploration of Windows Vista x64 security features and Patchguard (see pt1 and pt2), one of the issues sent my thoughts in the direction of how “perfect” security feature are (or are not) and how that affected security value to customers.
So, here is the scenario. You read about a new security feature in JeffOS that has been reported to improve security. Let’s say the feature helps stop exploits of heap overflows. Is this feature perfect? No, it does not stop many, many exploit scenarios. A few days later, you read a paper titled “Bypassing JeffOS Heap Overflow Protections” and you find that a technique has been found that can bypass the new security feature, but only when the heap begins on an odd number byte (I am making this up, in case you can’t tell). Wow, has the new feature now lost all value? I would personally say no, though it’s effectiveness has been reduced, it still stops many exploits. It is kind of a gray area though.
Let’s look at some common security capabilities and see how “perfect” they might be.
Firewalls. Classical security tool, can be set up to block incoming and outgoing traffic. Some types, though not all, also allow explicit examination and control based upon protocol traffic content. Are these perfect? No. Any information flow inward allows some form of attack. Incoming email can contain malicious code, for example. Even at best, these limit attacks to the protocol layer. Let’s say a firewall is locked down to disallow all traffic except outgoing HTTP connections for web surfing. Take a look at Bypass Firewall – Bypass Proxy – HTTP tunnel, one easy-to-find example of how to bypass even this narrow policy. Still, firewalls add some security value, so we use them.
Encryption. Let’s take a look at “strong” encryption. I don’t even need to define strong, let’s just say some algorithm with some key length is “strong” by today’s standards. What does that mean? Informally, it means that it would take way more time and resources to break by brute force than most people have. Is it perfect? No. Governments may have enough resources. Further, if Moore’s law holds and computing power increases, then to maintain the same strength of protection, one needs to add bit of keylength every 1.5 years. Perfect? No. Security value? Yes.
Anti-virus. No brainer. Please keep your signatures up-to-date. Even then, still not perfect. Value? Yes.
Intrusion Detection. Please! Perfection? False positives anyone? Security value? Maybe
Address Space Randomization. This is a great example. The PaX Linux kernel patch, among other things, introduces randomly arranges program memory. This doesn’t stop any specific exploit with 100% assurance, but makes certain types of commonexploits rely on luck for success – resulting in a severe limitation on their ability to succeed and spread. Perfect? Far from it. Security value? Incredible! [By the way, Microsoft is introducing Address Space Library Randomization in Vista and Longhorn Server.]
Obviously, we could go on, but I think these examples make the point.
It is very common to hear someone say that there is no such thing as a silver bullet for security. I think that’s okay. Maybe a better approach is to develop lots of overlapping protection mechanisms that together can be silver buckshot! For Windows Vista, we may have a good start at that with SDL process, /gs, NX, ASLR, Service Hardening, Defender, Patchguard, Code Signing, and so on.
Think Security ~ Jeff