by Jamie Beckett
Want to know why we can't rid ourselves of viruses? It isn't because there
are more attacks or that they're more malicious. It's your operating system:
No, not just Windows, but Linux and Unix and Mac and any other widely used
OS.
The virus you get when you launch an e-mail attachment, edit a file with macros
or visit a Web page containing malicious code isn't exploiting an inadvertent
security hole. It's just using the operating system the way it was designed
to be used, basing its authority on the identity of the logged-on user.
That means any program you run can use your computer to do anything you might
do with a computer -- whether you want it done or not.
It doesn't have to be that way, says HP Researcher Alan Karp. "There's
no inherent reason why a Solitaire game, for instance, needs to
be able to search your desktop, or why a spreadsheet program needs
the ability to search your disk for secrets or put a Trojan horse
in your startup folder."
Karp is leading a research effort at HP Labs toward virus-safe
computing. The team's answer is based on what's known as the Principle
of Least Authority, or POLA -- limiting the rights of each program
to only the ones needed for the job the user wants done.
"Most people ask how we can prevent attacks from succeeding," Karp
observes. "We think an equally important question is, how
can we limit the damage an attack can do?"
Experimental research software being developed at HP Labs takes
exactly this approach.
It doesn't affect the operating system or alter applications.
What it does is change how an application is launched. Instead
of starting
an application in the logged-in user's account, it configures
applications so they automatically launch in a quarantined environment
and have
only the permissions they need to perform their primary processes.
The result: Standard programs, like Microsoft Word, are limited
so that they can edit the document you have open and nothing
else. It can't erase your hard drive. It can't download spyware.
It can't
divulge your passwords. The same is true for other programs,
such as Microsoft's Internet Explorer, Excel, PowerPoint or any
other
application configured with the experimental HP virus-safe
computing software. And it doesn't require the frequent updates
that virus
scanners do.
An alpha version of the software for Windows XP is being tested in a
small, controlled trial by users at George Mason University in Northern
Virginia and the U.S. Navy. The software is being run locally on several
PCs as a testing bed, and a successful pilot could lead to much broader
use by these organizations. About 40 users in HP Labs (including the author of this piece)
are also participating in the test.
Early tests have shown that the software simply and effectively
prevents viruses from spreading and corrupting entire systems.
"There's definitely an added comfort level," says Bill
Tulloh, a cyber security researcher working at George Mason who's
been testing the software since September. "If a problem does
occur, the damage it can do to my computer is greatly limited."
He also likes the fact that the software responds to new types
of attacks that haven't been anticipated by anti-virus software
makers.
Tulloh says he and others are currently talking with IT officials
at George Mason about expanding testing of the HP Labs software
at the university.
Karp and his team -- visiting scholar Marc Stiegler and researchers
Ka-Ping Yee, Mark Miller and Tyler Close -- aren't the first people
to attack this problem. But previous solutions, says Karp, were
generally too hard to use or too intrusive to be effective.
One common method, known as sandboxing, involves producing a set
of rules for each program. Trouble is, the rules are hard to modify
if your needs change.
Some security solutions allow users fine-grain control of their
programs, but then must constantly ask users' permission to perform
certain functions. These are the familiar dialogue boxes that pop
up when a file contains a macro. Should you disable macros? Enable
them?
"They don't give you enough information to make an intelligent
decision," says Karp. "You don't know what benefit you
get by allowing this action and you don't know what risk you're
taking."
If you click "no," you lose functionality. If you click "yes," your
system could be harmed.
The team's solution builds on earlier work by Stiegler, who built
an interactive desktop environment using the Principle of Least
Authority that doesn't require dialog boxes or ask users to accept
digital certificates.
"It's really as much about usability as security," Karp
notes. "We're trying to make the user experience with our
software identical to a standard Windows desktop."
How close does it come? Early versions of the software were similar
to, but not identical to the typical Windows experience, users
say.
The current version of the software also has difficulty with linked
files, such as spreadsheets containing references to other spreadsheets,
and researchers haven't yet figured out how to deal with some programs
such as Direct 3D -- used in much game software. Direct 3D is incompatible
with the software's security machinery. Some users have run into
difficulty with dragging and dropping files between applications.
Researchers expect to produce a Beta version of the software by
the end of the summer. That will address many of users' issues,
as well as block keyboard sniffers that attackers use to capture
passwords.
But Karp says the team's main goal is to make it possible for
people to use their computers -- and all its features -- without
security-imposed
restrictions.
"Most people would say that the only way to be secure is to stop
using features -- don't open e-mail attachments, don't allow scripting," says
Karp. "If the only answer to attacks is to disable useful
features, we’ll end up unplugging our computers and storing
them in the closet. We've demonstrated that it is possible to build
systems that are more secure, more functional and easier to use."
|
Printable version
