{{Header}} __FORCETOC__
{{title|
title=About Computer (In)Security
}}
{{#seo:
|description=Overview about About Computer (In)Security, Trusted Computing Base, Bad Usability of Programming Languages, Too much Software Written in Unsafe Languages, Backdoors, Purposeful Vulnerabilities in Software, Miscellaneous
|image=Insecurity123.png
}}
[[File:Insecurity123.png|thumb]]
{{intro|
Overview about About Computer (In)Security, Trusted Computing Base, Bad Usability of Programming Languages, Too much Software Written in Unsafe Languages, Backdoors, Purposeful Vulnerabilities in Software, Miscellaneous
}}
= Trusted Computing Base =
A secure and trustworthy computer is a computer that only does what ''you'' (think you) tell it to.
Computers are insecure and not trustworthy and there is nothing we can do about that. Computers are "universal machines" (see Von Neumann, Turing). They can be instructed to do anything they can do according to the laws of physics. It is important to understand that a computer can't discern between "good" and "bad" instructions, bits are bits. There are two general problems:
(1) There are a lot of people who can instruct a given machine to do something (anything!), we need to trust them all, or verify everything, which is impossible.
If you read or write all instructions (kernel, software, firmware) yourself, study the hardware design (so you understand what an instruction actually does) and compare that with the actual hardware and then make sure you are the only one who can access the machine and give it new instructions, you need to trust that other people only give the machine instructions to do things that you want it to do. You can tell it to accept other, external untrusted instructions in a restricted, controlled fashion (like "render that html but other wise don't touch my system") but this is next to impossible to do reliably because of point 2). Otherwise you could never connect that machine to a network or transfer any input from another system to it ("input" and "instructions" has to be understood in a very broad sense, it is not just about executable code, it can as well be media files or hardware devices that are being attached).
The "Trusted Computing Base" (TCB) refers to all instructions and hardware used to restrict a "universal machine" from accepting and acting on (other) arbitrary instructions. It is used to set a certain security policy to enforce that a computer only does what these trusted instructions allow it to. "Trusted" simply means that we have to trust it, not that it is wise to trust it. The TCB tries to restrict what instructions can do but it consists of instructions itself. It can't restrict or police itself. Any flaw whatsoever in the TCB directly results in a compromise of the security of the system.
(2) The machines themselves and the instructions are incredibly complex.
Even in an ideal world with mathematically verified hardware and software we may think we are giving instructions to do A while in reality the instructions tell it to do B, or also B. Machines can not make "mistakes" but they certainly can do unexpected things...
We can't give machines instructions in our language (programming language) it needs to be in machine code. The translation is so complex that we need another machine to do that for us, and to create that machine another was used and so on. This expands our chain of trust to basically all machines and humans involved to the first compiler created by an assembler which in turn was created by hand-written machine code or [https://en.wikipedia.org/wiki/Programming_language#Early_developments earlier] even [https://en.wikipedia.org/wiki/Punched_card punched cards].
Hardware is fallible, hardware failure can result in entirely unpredictable results. Cosmic rays "flipping a bit" or just bad memory and extreme temperatures? Look up "Bit-squatting" for an example. Software depends on the hardware to function perfectly, what happens if the most basic assumptions are betrayed?
Another example for complexity, side channel attacks: they are very difficult to protect against and poorly understood by most software developers. E.g. through power or CPU load analysis otherwise isolated parts outside the TCB can influence or eavesdrop on privileged encryption. In other words, determining what is part of the TCB and what is definitely not, is a very hard problem. See for example Spectre and Meltdown.
If that wasn't enough we also have the problem that circuit layouts, microcode and firmware of most vendors is proprietary ([[Avoid_nonfreedom_software|nonfree]]). Part because of competition concerns, part because they are afraid of patents... In any case, this makes verification even more difficult that it already is. Further "hardware" (which includes firmware, i.e. software) is becoming more and more capable (#complex and dangerous). Features like Trusted Computing when used to prevent ring 0 access from the user and owner of the computer, [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface EFI] that has Internet connectivity and can update itself or Intel RMM / Intel AMT / Intel ME which can grant remote access that is invisible to the user and operating system (OS) combined with a less than perfect track record (e.g. see Intel related research by Invisible Things Lab) doesn't exactly spell trustworthy and 100% dependable.
Conclusion: The TCB can never really be trustworthy. The source code of every currently usable OS kernel alone is too complex and large to completely audit and make error free, not just for a single human but even for large groups like the "Linux community". But let's assume we solve that (e.g. through using microkernels and formal verification): How do you make sure compiled binaries are actually doing what the source intended? Or, how can you verify that complex hardware and integrated circuits are actually built according to their intended design? For all the verification and auditing processes we are dependent on other complex computer systems that would have to be trusted unconditionally. Bootstrapping trust is a chicken and egg problem. We would have to be able to verify systems with just looking at them with our bare eyes and hands or build/verify all systems necessary to bootstrap a modern compiler and hardware development platform. This may have been possible for the first "computers" in the first half of the 19th century but not anymore.
Since there's nothing we can do about that, what else can we do then?
We need to design our systems in a way that makes it no longer necessary to trust them 100%. We only need to trust that it is good enough and that it is astronomically unlikely that multiple diverse systems are untrustworthy in the same way.
If you don't want a computer to be able to tell anyone your location or identity better make sure the computer doesn't know either... The {{project_name_long}} security design in some ways mimics the security design of the Tor network itself: Don't trust any single entity to be trustworthy. We only rely on the fact that it is unlikely that all entities (nodes, computers) are compromised and colluding. To be precise, that's a goal that is not achieved yet with {{project_name_long}} alone. One could also say that the actual TCB of such a "system" (actually multiple systems) becomes the design, arrangement and usage policy which is very well possible for every user to comprehend and verify.
This could be compared to the "Air Gap" used on most high security networks. They assume that the TCBs are not trustworthy and work around that using a simple and easily verifiable policy that basically eliminates the complete attack surface or hardware and software bugs and even protects against most backdoors (for example, a subverted PRNG could still result in weak crypto being exported from the trusted network where it can be recorded and "cracked" by an adversary. A strong pyhiscal isolation based system could then encrypt data twice on different systems using different PRNG implementations to protect against such attacks.)
[[Physical Isolation]] in the sense of {{project_name_short}} is not a new idea, see [https://www.cs.utexas.edu/ftp/boyer/cli-reports/070.pdf Verifiable Computer Security and Hardware: Issues by William D. Young. September 1991 (PDF!)] page 18 for a summary. It seems like the idea was rediscovered by {{project_name_short}} (independently, and we came up with the same term), to our knowledge {{project_name_short}} is currently the only project following this approach in a defined way.
= Security Mindset of Open Source Software Ecosystem =
Upstream distributions (such as Debian) can mostly only package available upstream software but not re-write most. Though, a lot upstream software was created with priorities and not necessarily highest security in mind. A lot required functionality is only available through "legacy" software written in memory-unsafe programming languages. The whole Open Source software ecosystem was never primarily focused on highest possible security to begin with.
[https://www.youtube.com/watch?v=31xA9p3pYE4 36C3 - Das nützlich-unbedenklich Spektrum] does not sound promising on general trends in computer security. Quoting freely. "More and more companies (such as google chrome to pick one example among a trend) move to an approach where security bug reports are disregarded unless a proof of concept exploit is being provided. Mitigation methods for bad, potentially exploitable code are preferred over actual security bug fixes because there is too much source code, complexity is too high and the total number of bugs is unmanageable."
See also [[Linux User Experience versus Commercial Operating Systems]] to learn about organizational issues in the Open Source ecosystem.
See also [[Dev/Operating System]] to learn about which operating systems were considered for {{project_name_short}}.
= Bad Usability of Programming Languages =
Too much software which is part of the TCB is written in very old programming languages such as assembler, C and C++. These programming languages are unsafe and difficult to master. There are many ways to make mistakes. Review of software written in such languages is difficult even if the author had good intentions. It is getting worse if the author had malicious intentions. Auditing exiting source code can be super difficult, see [https://en.wikipedia.org/wiki/International_Obfuscated_C_Code_Contest Obfuscated C Code Contest]. Most times it is easier to write source code than to understand source code written by a third party. Geeks will disagree however due to the flood of security issues it should be abundantly proven that there is rarely security bug free source code. Therefore the conclusion is undeniable that there are safety and usability issues in programming languages and the overall tool chain.
Even easier programming languages such as ruby are still too difficult to learn. Therefore the number of hobbyists motivated/capable to use them is limited. Programming languages that focus on usability, run usability studies and iterate according to usability research, that can be understood by as many people as possible are yet to be invented.
= Too much Software Written in Unsafe Languages =
This is partially because by the time the software was written there were no easier / more suitable programming languages available. Also performance considerations were part of this. Nowadays too few people are sufficiently aware, funded and/or motivated to replace this software with rewrites in languages with higher safety and usability. In the very strong opinion of the author, for "perfect security" a lot old source code written in unsafe languages would have to be rewritten in safe and easy (yet to be invented) programming languages to keep the amount of code in the TCB which is written in unsafe languages at a minimum to make it manageable to audit and free of security issues. This however is very unlikely to happen.
= Too much Source Code =
The issue with Open Source security is that there is too much Open Source code. Leading to scattered attention and a lack of laser focus. There exists a limit to the amount of code, multiplied by its complexity, that the community can effectively review.
https://xkcd.com/927/
For many tools it's hard to choose because there are so many.
Therefore, the only feasible solution appears to be a significant simplification of the process. Otherwise, we risk allowing large corporations to dominate software development.
= Too Much Complexity =
Open Source projects such as the major browsers ([[Firefox]], [[Chrome]]) and the mobile operating system Android are much too big for anyone to fully independently and finally [https://en.wikipedia.org/wiki/Fork_(software_development) software fork] without having to look back upstream and rebase.
* '''What is upstream?''' The original developer such as Mozilla being the original developer of Firefox.
* '''What is a software fork?''' TODO
* '''What is a rebase?''' ''Rebase'' in this context refers to the process of integrating changes from the original software (upstream) into a forked version.
* '''Why is rebase necessary?''' This helps to keep the forked version up-to-date with the latest developments and improvements made in the original software.
* '''What would happen if no rebase happens?''' More and more websites would break, become inaccessible over time due to the constantly changing web standards. Security issues found and fixed in later releases by upstream would neither be reported nor fixed in the old source code. The fork would then be responsible for keeping up with web standards and security maintenance.
Popular, well maintained forks of popular browsers such as [[Tor Browser]] and [[Mullvad Browser]] being a fork of [[Firefox]] usually for the ESR (which stands for extended support release) version of the browser. This is because the ESR version moves slower. This is to say that less source code changes are introduced during the lifetime of the ESR. This gives Linux distributions, enterprises and forks more time to develop and test their patches based on the ESR. While it might be possible for forks to audit the changes from one browser ESR version to the next minor ESR update, at some point the browser vendor will deprecate an ESR version and release a new ESR version.
Most forks of [[Mobile_Operating_System_Comparison|mobile operating systems]] are based on Android.
Constant nursing required or breaks over time.
People give up. Cannot keep up.
Millions of lines of code. Too quick. Review in theory but nobody can keep up.
Open Source or not almost irrelevant. Still useful still right but much less so. Turned somewhat ad absurdum.
= No Final Specification =
Never finished.
Chasing own tail not productive.
= Purposeful Vulnerabilities in Software =
In 2021, researchers at the University of Minnesota released a paper that revealed they had purposefully tested the feasibility of introducing vulnerabilities (use-after-free bugs) in open source software (OSS) -- in this case the Linux kernel -- via "hypocrite commits." They defined these commits as "...seemingly beneficial commits that in fact introduce other critical issues." [https://raw.githubusercontent.com/QiushiWu/qiushiwu.github.io/main/papers/OpenSourceInsecurity.pdf] While this research is ethically questionable, it prompts doubt about the OSS claim that this development approach produces more reliable, secure and higher-quality software, particularly since the "many eyeballs" approach is suggested to increase the rate at which bugs are identified and fixed. The paper is significant because the Linux kernel powers billions of devices world-wide and the hypocrite commits were not identified until the researcher's paper was published.
The researchers identified three primary reasons for why hypocrite commits to the kernel were possible: (1) OSS is open by nature, so anyone from anywhere, including malicious ones, can submit patches. (2) Due to the overwhelming patches and performance issues, it is impractical for maintainers to accept preventive patches for “immature vulnerabilities”. (3) OSS like the Linux kernel is extremely complex, so the patch-review process often misses introduced vulnerabilities that involve complicated semantics and contexts.
Suggested mitigations included: