Default permit still winning the security battle

I was stoked when Patrick Gray took up my suggestion to ask Marcus Ranum to reflect on “The Six Dumbest Ideas in Computer Security“.  I encourage you to listen to the interview for yourself, but my summary of it is that Marcus was mostly discouraged that very little progress has been made in computer security, while Patrick was of the opinion that a number of good lessons had been learned in certain key areas.

Patrick pointed particularly to Apple’s iOS as a commercially-successful example of default-deny execution policy.  Whilst iOS, Windows Vista and later, and even Android (to a lesser extent) have implemented varying levels of default-deny when it comes to execution of programs, I think default-permit policy is still the dominant mindset in our industry.  As I was listening to the interview, a few areas came to mind where it still seems to be true:

  • Outbound connections from client devices.  Despite the fact that client-based exploits have become the dominant method of compromising organisations (the so-called “Advanced Persistent Threat” which compromised RSA was started with a phishing campaign and an Excel-delivered Flash exploit) and security practitioners generally assume that client devices (whether PCs or phones) are routinely compromised, many (most?) networks provide allow outbound connections from client devices by default, often to any destination and sometimes on any protocol.  This is exacerbated by the appalling lack of proxy server support in most iOS and Android applications, which means that administrators of BYOD networks rarely have any choice in the matter if they want to provide a functional service.
  • Compounding the problem is the fact that generally when users browse or client-side apps make connections, all web sites are allowed.  In this area, enumerating badness (Marcus’ stupid idea #2) is still dominant; many (most?) web filtering solutions which attempt to protect clients from malware use a blacklist of known-bad sites.
    I’ve worked in K-12 school IT management, support, and consulting for a number of years, and every now and then the suggestion of whitelisting web sites comes up.  That’s usually all that happens.  Other fields (perhaps banking, industrial control systems, or medical applications?) might also consider it, but I suspect that they end up with similar conclusions (i.e. that it’s impractical to implement).  (I’d love to hear from anyone who has actually tried this in a real network.)
  • Scripting languages are a common exception to the default-deny execution policies of operating systems.  To my knowledge, Windows PowerShell is the only common scripting system which allows for script signing policies.  However, scripts can request that Windows simply turn this feature off, which defeats the purpose.  To my knowledge, no signing system or default deny policy has ever been implemented for Unix/Linux systems (other than the default protection provided by Mandatory Access Control systems like SELinux and AppArmor).
  • The Android application permissions system is one of my pet peeves. Android applications must inform the Google Play store about which security- and privacy-related features they intend to use.  This is good; however, permissions are approved when the application is installed, and users only have the choice of installing or not installing.  Many applications require permissions that are not obviously critical to their operation, but because users typically try to install an application because they want to use it, an informed evaluation of an application’s permissions is rarely performed at installation time.  Most applications are installed regardless of what permissions they request.  So effectively, this becomes a default-permit situation.  (Moxie Marlinspike‘s WhisperSystems seemed to be making progress on this before they were acquired by Twitter, and I hope that Open WhisperSystems takes up this work again in the near future.)

All of this says to me that we’re still living very much in a default-permit world, and there’s a lot of work to be done before we can confidently say that progress has been made in this department.

I’d love to hear any further thoughts on this; you can reach me through the feedback page, or on Twitter.