Going Back to the Future in the Name of Better Security

If Bill Cheswick had his way, the future of computing and computer security would look a lot like the distant past, with trusted platforms, small programs, applications that can’t affect the operating system and resistance to user mistakes.

NEW YORK–If Bill Cheswick had his way, the future of computing and computer security would look a lot like the distant past, with trusted platforms, small programs, applications that can’t affect the operating system and resistance to user mistakes.

Cheswick, a former Bell Labs computer scientist and longtime speaker on security topics, echoed what many people in the security field have been saying for years now: The current way that we’re thinking about and deploying software and security isn’t working well enough and needs to be rethought. This is a familiar refrain for anyone who’s been paying attention to the direction of the security community of late, but Cheswick said that the solution to the current problem set doesn’t involve adding successively thicker layers of security onto existing platforms. Rather, he envisions a reboot of the computing ecosystem itself.

“I think we can build an affordable computing platform that can’t be compromised by user error not involving a screwdriver,” Cheswick said in a keynote talk at the OWASP AppSec USA conference here Wednesday. “You couldn’t compromise the apps, you couldn’t affect the OS, you couldn’t own the machine. It’s not about user education. It’s bad engineering to rely on grandma. There shouldn’t be anything she can do to affect the system.”

The ideal compute platform would include trusted hardware, trusted firmware, a sandbox and a trusted operating system, Cheswick said. The stack he described is not a novel concept. Older platforms, going back several decades, relied on this architecture, he said, and it’s been proven to be reliable and secure. The problem is that the current software and security ecosystems have evolved to a point where implementing something like that would be expensive, at least at the beginning. However, Cheswick believes that it would be worth the start-up costs and effort in order to spread the benefits to the widest possible user base.

Detecting intrusions and compromises of software and devices is the main goal of much of the security software in use today, but Cheswick maintains that model needs some tweaking.

“We’ve already lost once the evil software is on the machine,” he said.

Preventing attackers from getting their mitts on a target machine in the first place should be the goal, he said, and one that Cheswick believes can be achieved through the separation of the core components of the computing platform from the pieces the user needs to touch.

“I want a system where the OS can’t be changed or subverted regardless of the app that’s run or the user’s action. The apps can’t taint the OS or other apps,” he said. “Random Web software can run in a sandbox and it can have arbitrary amounts of evil and it won’t do any harm. And we need ubiquitous end-to-end crypto. I want my kernel to be cast in adamantium before it goes onto the machine. I don’t want it to change once it loads.”

Some of the features that Cheswick described have been implemented in various platforms over the years, most recently in Apple iOS, which will only run signed code and treats the device as a trusted platform. Whether that model becomes a dominant one in the years to come remains to be seen, but Cheswick said he thinks there’s a good chance it could happen.

“I think we can win. Correct software can be implemented if we’re very careful,” he said.

Suggested articles