Editorial

Writing software for a malicious world

How do we write software that survives in a world of malware? Is it just a matter of writing safer code or do some of our core assumptions need to be modified? Will we, as users, have to change the way we use our computer? Unfortunately, in the realm of security, there is lots of uncertainty. There are only two things we know for sure: our data is valuable, and we’re not doing a good job of keeping the bad guys away.

Everything is valuable

euro-447214_640

Security measures are often weighed against the value of the data they protect. The more valuable something is, the more effort is justified in protecting it. We buy a safe for our passport, yet leave our books on a shelf. We put our money in the bank but put our socks in a drawer. In the offline world, we’re relatively good at defending our valuables or at least understanding their worth.

We’re still struggling in the online world though. We underestimate the value of intangible data and fail to foresee how we can be exploited.

The taking of an email and password to a social media site can be ruinous. An author’s new book, a student’s thesis, or a band’s new song can be ransomed back to their owner. The history of a user’s Facebook postings can be used to manipulate their emotions.

Malefactors are ever finding more creative ways to exploit small caches of data. And they’re always being given new ways to access it.

Consider the issue of scale. Much of our core software is installed on billions of devices. Virtually all devices use the reference library for loading PNG images. Vulnerabilities in this code, which have been numerous, can affect everyone. A simple fad app, of no real interest, suddenly becomes installed on millions of devices. The theft of millions of emails from one service can be used to attack others, or even used to affect policy change with mass identity fraud.

Minor security breaches turn into major raptures when applied to millions of people. Uninteresting data becomes extremely seductive when captured in bulk.

As our world becomes increasingly connected, the abuse becomes ever more likely. As developers, we have to stop regarding things as apps, devices, and protocols. These are all gateways to a person’s life — something we should handle with utmost care.

The problem of a high-fence

park-972173_640

Our first reaction to any vulnerability is to repair the breach. While necessary, this does little in the long-term fight against the attackers. They’ll find a new hole. They always do.

We need to assume that somebody has broken through the first line of defences, perhaps even the second line. Pretend that a malicious worm is ever present in our computer systems. What do we do?

Simple conveniences are our downfall here. We enjoy that an increasing number of devices can talk to each other. We prefer not having to enter passwords to open a document or send an email. We consider it essential that our messaging apps can share contact information. We like watching movies, or playing games, at the click of a button.

How much of this convenience do we have to give up to have a secure system? The answer is unfortunately not zero. At some point, we, as users, must face the reality that our computing experience will need to change in the name of safety.

What do we do?

The big question is how we get from where we are now to a safer place. There are countless things that developers can do to improve security, but who is going to invest the resources? Why even bother when our competitors get only a slap on the wrist for mass data breaches.

What does a safer computer experience even look like? It’s difficult to impose change on users as they frequently balk at any inconvenience. Are our current operating systems even capable of reaching the security we need?

In this web of uncertainty one things remains clear: we must assume the attackers are always there. We need to treat our software as the vehicles of people’s lives and strive to provide those people safe voyage.

1 reply »

  1. What do you think about better isolation on the OS level, like what would be possible by building an OS on top of Genode, when it’s ready for production? It would be possible to achieve that e.g. the user could set it so that apps would need to explicitly request access to the camera (microphone, GPS, thermometer, etc) if you haven’t used them for 5 minutes, and you could exclude certain apps if you wanted. If you say no, the app could not even *reference* the camera (microphone, etc), lest access it, and this would be enforced by something as secure as seL4, at the lowest level. A camera app wouldn’t need network access to post on Instagram, it would have to do so by sending a message to the Instagram API client on your phone, a very tiny piece of code, which in turn would post it. The PNG library could be broken as hell, because the software using it would have literally zero access to anything but the camera, guaranteed by the OS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s