[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security of UNIX, NT, etc. (Was: Clinton Freezes...)



James Donald writes:
> > At present it seems to me that unix machines on the internet
> > are intrinsicly insecure -- the methods used to secure them
> > are a collection of ad hoc patches.  For example all
> > unix machines are vulnerable to the trojan
> > horse attack.

Depends on what trojan horse attack you have in mind.
Well-designed B1-secure systems can get rid of most of the 
Trojan Horse attacks by storing the trusted computing base
System Low and requiring root to only execute programs at that level, 
and running all users at higher classifications, like Unclassified.
Since users can't write down, they can't hack the TCB, 
so the main opportunity for Trojan Horses is to trick trusted programs
into interpreting data in dangerous ways (e.g. executable editor 
macros in email, or exploitation of a much smaller set of bugs
than usual.)

> > Windows NT is supposedly secure.
<ftp://sounds.sdsu.edu/somedir/evillaugh.au>

And Perry replies:

> NT is about as secure as VMS was, i.e. not at all. Its just got
> different bugs.

As is any system that was designed for purposes other than security
and had security added on.

(On VMS: The C2-rated VMS systems came out somewhat before the
Worms Against Nuclear Killers takeover of a NASA(?) network;
it seems that being rated C2 doesn't prevent you from shipping systems
with the factory-equipped SYSTEM and FIELD account passwords left alone.)

> > Certainly its design makes it possible to write software that is
> > intrinsicly secure, rather than creating a particular fix for each
> > particular hole.
> 
> You mean, it makes proof of security possible for real programs? 
> That there is a proof of security available for the NT kernel?
> I'd settle for a proof of non-crashing myself.  Short of that I'm
> unaware of any system that is "intrinsically" secure.

I thought there were systems at at least the B3 level, if not A1;
Honeywell SCOMP comes to mind.  Of course, all those levels are
just Orange Book, and extending genuinely provable multilevel security
to the multi-computer networked problem was far beyond current research
when I was last current on the stuff.  (They could update me,
but then they'd have to kill me :-).)  There was also KSOS, but I don't
remember what level of security it reached.

There have been B2-rated networks which let single-level machines share 
a LAN (Verdix VSLAN), and there's a certain level of security you can get
running uucp on B1 systems, but bug-free shared networked general-purpose
systems are, uh, not very common.  And didn't Boeing have a high-rated
fiber LAN of some sort?

Actually, before networking, MS-DOS was perfectly secure.  After all,
there's only one User in the universe, and She is allowed to do
anything She wants, however ill-advised....


		Bill