The well meaning user, often an employee of the company, represents a particular threat to computer systems because they work within the security perimeter and must be handled gently. Software developers are beginning to build some established security techniques into their code in order to protect the system from malicious exploits and well intentioned blunders. For example, some tools in the GCC compiler can now detect buffer overflows which no amount of code gazing had revealed before. Modularity, variation, and randomization of memory, file handles or process IDs can also help limit the spread of exploits. Breaking systems into components means that discreet rules can be imposed in order to limit the tasks which different pieces can execute. This approach could, for example, be used to define the allowable actions of an image viewer very precisely, reducing the possibility that the viewer could be hijacked to spawn a shell for malicious intent. Separation of secrets is another helpful concept. For example, a bluetooth phone can work very well as a remote security device for user verification.
No matter how good our prevention methods get, Cox argues we must understand ways to mitigate attacks. Flaws in software are inevitable, and bound to grow given the complexity and ever more rapid development cycles. A current emphasis in RedHat's Security-enhanced Linux (SELinux) is to defend against the user as a point of vulnerability to viruses and spyware. The computer can be taught to enforce security policies that the users themselves are unlikely to uphold, given their propensity to ignore advisories and software dialog boxes. Software engineers must build in security that is active by default, and they must understand the user so that security tools are actually used. If security thwarts the users or makes them stop and answer hard questions, the users will inevitably bypass even the strongest security measures.
Alan Cox has been working on Linux since 1992. He was one of the original authors of both networking and multi-processor support for the Linux kernel. Cox was the original CERT security contact for Linux and continues to this day to be involved in the vendor-sec Linux security work for Red Hat as well as in security and IP policy through the Foundation for Information Policy Research
This free podcast is from our OSCON Europe series.