Linked by Thom Holwerda on Tue 30th Aug 2011 17:29 UTC, submitted by Dale Smoker
OSNews, Generic OSes "What would an operating system look like it if were redesigned with security in mind? Joanna Rutkowska thinks she has the answer with the development of Qubes OS. We sit down for an interview with Joanna to discuss the way Qubes OS augments security."
Thread beginning with comment 487761
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Secure OS?
by moondevil on Wed 31st Aug 2011 10:35 UTC in reply to "RE: Secure OS?"
moondevil
Member since:
2005-07-08

An operating system coded in a mix of C and Assembly, without capabilities and which relies on pure code review as security measures is by definition not secure.

I am a firm believer in the use of safe languages for system programming. A few examples do exist, but they take years before the status quo of current systems do change.

In a way we have to thank all the kids exploiting bad coded applications out there. They have raised the awareness that sometimes safety is better than raw speed and made easier to get research grants for OS development with safe system programming languages.

Reply Parent Score: 2

RE[3]: Secure OS?
by joshv on Wed 31st Aug 2011 11:41 in reply to "RE[2]: Secure OS?"
joshv Member since:
2006-03-18

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?

Reply Parent Score: 2

RE[4]: Secure OS?
by renox on Wed 31st Aug 2011 11:53 in reply to "RE[3]: Secure OS?"
renox Member since:
2005-07-06

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits.

Note that the JVM isn't coded in Java..
So JVM exploits doesn't count as Java's vulnerabilities.

Anyway, I agree with you that "safe" languages don't really exist, but "safer" languages (i.e safer than C) do exist.

Reply Parent Score: 2

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:22 in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

Safe languages are languages that do the following:

- Bound check validation of arrays;
- Use proper string data types;
- No direct port IO;
- No pointer arithmetic;
- GC enabled if possible;
- Force initialization of variables before use;
- No direct conversion between data types

Ada, Oberon, Modula-3, D, Spec# are a few examples of safe system programming languages with real OS written in them (except D).

Usually you can always do the same dirty tricks as C and C++ allow, but only via unsafe mechanisms. Which you do have to call explicitly and is is very easy to constrain its usage to specific modules. Whereas in unsafe languages they can happen anywhere on your code.

Plus, in very performance critical code it is possible to disable some of the security checks if you so wish, but then you are at your own risk.

Reply Parent Score: 3

RE[4]: Secure OS?
by moondevil on Wed 31st Aug 2011 12:43 in reply to "RE[3]: Secure OS?"
moondevil Member since:
2005-07-08

What is a "safe" language? Java was supposed to be safe, but there are regular JVM exploits. Perhaps Java isn't on your safe list, but how do other languages do it differently enough that they aren't vulnerable to similar exploits?


Those exploits take advantage that most JVMs are written in a mixture of C, C++ and assembly. So they exploit buffer overruns in the JVM, by providing invalid .class files or the native methods that do image manipulation for example.

That is why there are a few research JVMs written in Java itself with minimal amount of C and assembly, like the Squawk and JikesRVM ones.

Reply Parent Score: 3

RE[3]: Secure OS?
by sakeniwefu on Thu 1st Sep 2011 15:20 in reply to "RE[2]: Secure OS?"
sakeniwefu Member since:
2008-02-26

There is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them.

Saying that C isn't secure because of buffer overflows is a bit silly nowadays.

Memory corruption attacks are going the way of the dodo. The few still working, rely on lazy implementations of exploit prevention technologies or evil designs such as self-modifying-code and custom memory management. All high level management decisions which can be fixed, or not far away from C level.

Most security bugs being talked about in OpenBSD misc@ and tech@ lists nowadays are logic bugs. Most actual exploits for other systems in the wild, exploit logic bugs.

Your hash function drops every other bit because of some logic error and anyone can login as root in about ten attempts? Your web server code uploads any file to a user-specified path, and has permissions for everything? A race condition in your file locks?
No problem, just use Haskell. Oh, wait...

Please tell me how your safe languages will help me.

About proofs, Donald Knuth had this to say.

"Beware of bugs in the above code; I have only proved it correct, not tried it."


It's easy to make something work as designed. It's harder to design something right, especially if you think you don't need to worry about security.

Edited 2011-09-01 15:22 UTC

Reply Parent Score: 3

RE[4]: Secure OS?
by Alfman on Fri 2nd Sep 2011 19:26 in reply to "RE[3]: Secure OS?"
Alfman Member since:
2011-01-28

sakeniwefu,

"There is no language safer than C in a Unix-like environment, because their shortcomings are well understood by anyone who has taken the time to learn about them."

I say this as a knowledgeable C developer...it is far easier to corrupt the process in C than many of the other languages around.

Even though I code very defensively, I sometimes end up writing bugs. These can be as "harmless" as following the wrong code path and functions returning wrong answers (these errors will happen in any language), or they can corrupt the heap and stack (these errors would have been prevented/caught with safe languages).

"Saying that C isn't secure because of buffer overflows is a bit silly nowadays."

C doesn't imply the existence of buffer overflows, however many languages do imply the non-existence of them.

I often prefer C never-the-less, but it takes a great deal of effort to make it safe under all conceivable conditions.

Reply Parent Score: 2