Sunday, June 20, 2021

Separating Functions makes Desktops Safer

Unless you’ve been visiting some other planet, it’s more than likely

you’ve heard or read about the so-called ‘rootkit’ software that was

found on some copy protected Sony BMG audio CDs recently.

It used to be we only had to worry about the bad guys putting bad stuff

on our computers. Now, we also need to worry about the good guys. Yes, I

know spyware has been around for some time now, but this case strikes me

as a particularly egregious example of good guys trying to do bad things.

In fairness, I should point out that the Sony BMG software in question

doesn’t appear to be the same situation as a traditional rootkit per se

— if there is such a thing as a traditional rootkit. For starters, it

doesn’t appear to be the case that the software was planted maliciously.

There’s no shortage of bad judgment, arrogance, and so on, but malice

still would be a stretch.

That said, it sure did have many of the same characteristics as the

rootkits that we’ve seen attackers use for more than a decade against our

computers — it hid its presence, was difficult to remove, and such. But

that’s not what I’m here to talk about.

What Sony BMG’s ill-fated copy protection software did was expose, yet

again, the weak underbelly of so many of today’s popular desktop

operating systems. Behind that user-friendly graphical interface lies an

enormous architectural flaw. (Well, to be fair, the flaw is really in the

way our systems are usually configured — albeit using the default

settings provided by their vendors all too often.)

Any guesses as to what this pernicious flaw is?

Consider this: On your desktop, are you able to run software, as well as

install it, all from your normal user account? It is painfully common to

find desktop user accounts with system-level privileges. That’s in direct

conflict with one of Salzer and Schroeder’s classic principles: least

privilege.

Sure, it’s easier to give users the ability to install software on their

own systems. The conventional wisdom in many IT shops is that it results

in fewer help desk calls from users who demand the ability to install

software. Although this may well be the case (but I’m inclined to

disagree), the problem that we saw with the Sony BMG copy protection

software is that the CDs in question were able to install their copy

protection software when the user inserted a CD containing the code. Had

that software installation failed due to insufficient privileges, the

rootkit would never have been installed. Oh, and the audio CD would

likely not have been played. (No good deed… )

Having general purpose desktop accounts that can run and install software

is an inherently dangerous practice that will inevitably lead to

re-installing your operating system when something really nasty happens.

Its sheer madness, if you ask me.

I’m not advocating environments where only the IT shop can install

software, although I’ve seen that work quite effectively more than once.

What I’m saying is that we would be well served to learn from the

historical mainframe operating systems and consider separating the

functions of software installation and software execution.

As in most mainframe operating systems, we’d have an administrative

account for software installations and lock down user accounts so they

can only run software. And, unlike most mainframe environments, it would

even be OK, at least in many cases, for the users to have access to both

worlds.

I know what you’re probably saying: Your desktop OS does exactly that by

way of an administrator account and regular user accounts.

As I said earlier, the underlying operating systems, by and large, have

the ability to do this right out of the box, but it’s common to find that

dangerously circumvented on desktop and laptop systems. In the desktop OS

installations I’ve done during the past year or so, I’ve found the

installation process generally drove me to give the desktop user the

privileges needed to install software.

I’ve also found that this dual account model doesn’t always work well

with all software, but that’s another issue.

Don’t get me wrong… I’m not saying a simple mechanism like this will

solve all of our security problems, but it will sure help with some of

them. When done well, this mechanism includes good old file access

controls that would prevent users (and the little nasties that follow

them home through their browsers, emails, instant messages, etc.) from

affecting the installed software base, from the OS through the

legitimately installed applications.

Bye bye, Sony BMG rootkit and the like.

And of course, the success of a plan like this would rest on the software

installation practices themselves. That is, preventing malware from

getting into the system while the user is running software would only be

effective if the software gets installed carefully, following sound

practices. I’m not unrealistic about what it would take to accomplish

this. It’s going to be tough to get the whipped cream back into the can,

as it were.

Even with these caveats in mind, I’m still convinced our desktop

operating systems would be safer places if we did a much better job at

separating the functions of software installation and software execution.

Similar articles

Latest Articles

3 AI Implementations That...

I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

Survey of Site Reliability...

NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

Druva Integrates sfApex to...

SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

Best Data Science Tools...

Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...