I hate band aids. No, not the kind you put on a scraped knee. I’m talking about the kind we’ve been layering on top of our broken software. Firewalls, intrusion detection systems, anti-virus, and perhaps the saddest of all, data loss prevention. They are all band aids we’ve invented because our underlying systems are fundamentally flawed, and will never be secure. And thus was born defense in depth.
There are times when you’ve made so many mistakes, and are in so deep, that it’s best to just start over. Of course, that’s not going to happen anytime soon. However, I still have hope that research into operating systems security can make a big impact in terms of improving end-point security, and reducing our reliance on expensive and ineffective products.
I recently came across a couple of promising projects. The first one, Qubes, is already available in a prototype form. This is an effort by Invisible Things Lab to design and implement a more secure OS. They liberally take advantage of virtual machine technology (and the latest hardware) to isolate one part of the system from all others. Even the networking subsystem runs in its own unprivileged “NetVM.” I think Qubes has a lot of potential, and I really hope it continues to mature.
The second development I read about is really just an idea at this point; it’s an academic research project, and is only now getting started. Using a hefty grant from the National Science Foundation, a professor at University of Illinois at Chicago is going to design and build a security-focused operating system called Ethos. Once again, the plan is to make use of Xen-based virtual machines to enforce isolation.
These attempts at improving the OS are still not hitting the root cause of most security issues (poorly designed software), but they are at least trying to mitigate the damage caused next time your browser’s Flash plug-in gets pwned. I think that’s a step in the right direction, at least until we’re ready to throw in the towel and start fresh with this whole “computing” thing.