The famous security researcher Joanna Rutkowska has posted on her blog an article entitled The Game Is Over! and as a typical second class blogger I jump on it and give my (unrequested) comments :-).
The post reiterates two of the ideas she has been promoting recently:
- The security industry doesn’t focus enough on the detection of kernel-level compromises
- Current OS’s and programs are not designed such a way that their integrity can be easily verified
My opinion about this matter is: generic detection of kernel level compromise is very, very hard (I would venture to say impossible). The good news is that 99.9999% of all kernel level malicius code out there can be detected by a sufficiently skilled individual (the fact that the hourly rates of somebody with these skills is most probably very high is an other question). Many of them however can not be detected by
point-and-click tools. The (economical) equation is the following: if you got compromised and you are a large company who can afford to bring in outside specialist (because most probably you don’t have them on staff), you can pretty much track down all the traces of the infection with a very high probability. If you on the other hand are a home user – it is truly game over for you and all you can do is to start from the beginning the wipe / reinstall / patch cycle.
Now for the fact that all of the generic defenses incorporated in the OS (like ASLR, stack canaries, etc) can by bypassed: this is true. However, life is a game of probabilities (or ROI if you are an economist :-)). If you have a new vulnerability, which can be exploited with a probability of 0.9 on systems which don’t have any of the security measures, with a probability of 0.5 on systems which have some of these features and a probability of 0.1 on systems which have all the security features, would you classify these solutions as useless just because they failed to totally prevent the exploitation? The provided you nine times better security than a vanilla system with none of these feature activated! I can certainly see the desire of Joanna Rutkowska for finding
the best solution, given her mathematical background – where most statements can be either proven right or wrong – but IT isn’t mathematics :-).
Finally: building a verifiable OS is an interesting idea, but it’s just a research topic and most probably it will remain so for the longest time (just look where Hurd or Minix is and where Linux is – the first two are focusing on getting things right while Linux is focusing on getting things done).