Many people have had the unpleasant experience of viruses and malware on their computers. Sometimes among the most immediate solutions is to replace the computer, re-install software, and get higher grade security software. We live in a time where Web sites, government files, and business databases can be breached and the results can be damaging from a financial, legal, or social standpoint. Why does this happen?
Knowledge exists about how to break into software and disrupt the normal use of that software as well as get useful data through that software. Some of my past articles speaks to this such as, Better Security through Coding Languages. Widespread knowledge about weak software security has not translated into more fully secure software. Every week or so, there is a new patch for software to address a missed area of security. The patches are necessary. Yet, could the software have been more thoughtfully written upfront to better reduce or eliminate the security issues?
The answer is yes but it is complicated. Part of the answer is that information on the Internet does to mean that most persons that write software is aware of that information. Another part of the answer is that some of the tools used to create some software does influence security outcomes as much as the persons’ knowledge of security practices. Also, there is enough information about computer security that it can become an endless trail that creates a widening gap between process, functionality, and end result.
Add to this that there is no straightforward quality assurance process that would match the techniques and mindset of outside individuals and organizations that break into software. You can throw all the strange inputs at the software you want and you still may not have the insights of those that routinely pursue access to data through software compromise.
Measure At Least Once
Increased security can slow down computer programs and make the written software code more dense. What constitutes great computer security today consists of checking each thing in the computer program as it does it to make sure that what is done is proper. Besides what the program is designed to do, the additional checking takes time to do and adds time to what the program does. If you have patience, this can work out quite well, but if the results you need from software is time critical, you may be at odds with a more secure but slow program.
Writing into the software the numerous additional checks can add undesirable administrative overhead to the program. The program takes longer to finish and takes much longer to change and refit to new requirements. Expanding the software and connecting it to new services becomes more challenging than would otherwise be the case and so there may be less motivation to go the last mile in the additional checks. Very secure software under the present computer hardware and operating systems models are more expensive to make, maintain and operate in terms of time.
Consolidated Knowledge from CERT
Organizations exist that investigate and put together lessons learned about compromised software. One of these organizations is CERT in which one of their members, Robert Seacord, has written about these matters. I have begun to read his book, Secure Coding in C and C++, the first 2 chapters I’ve gone through so far mirror what I’ve known from other sources about factors influencing computer security. Robert’s work goes into much greater depth but the implications are clear, the way computers and programming languages are designed makes them candidates for security compromise. That is not what Robert Seacord says, but that is what I see as a result of the discussion to date.
The main problem seems to be the absence of boundaries within computer hardware. Base level programming languages upon which all other software environments and tools are based are designed to broadly represent the shape and nature of computer hardware. Computers can handle alot of data and can be expanded in some cases to handle even more. Limitation isn’t in the nature of computer designs.
A time ago, space on a computer was limited. Today, the space is large enough in all directions (processor, memory, disk) that the investment in a computer can pay off for a much longer period. Aggressive data management practices may often be relaxed due to the abundance in capacity.
Data is one thing but computer programs are another. Computer programs are not nearly as large as the data they manage. Good computer programs are small or at least no larger than they necessarily need to be and there are many good examples. A large program by today’s standards would still use only a third of low capacity space configurations. That leaves enough space to do other things, harmful things like break into computer programs.
The most common way today to break a computer program and get at the data is to use the extra space to catch a ride into the program. This happens when the program code literally goes outside of itself in order to finish reading data where it does not know how big the data is. It does not know how big the data is and rather than stop reading after a certain point, it just keeps going. Eventually, it goes unknowingly where the malware is and the malware says thanks for the ride and briefly takes over. The computer program does not know it is running malware because like the computer program itself, the malware is just computer code. It all just runs together in one continuous stream when the computer sees it.
Computer programs can encode hard limits. This can be done automatically as is in the case of programming technologies like Java and C# but that automatic limiting can slow things down or those technologies, due to how those limits work can confine the usefulness of those programs for deeper work. Languages useful for deeper work and faster running often do not have automatic limits put in place. You may know these languages by the name C and C++ both of which are often used for commercial, infrastructure, and foundation software. Java and C# themselves are made using C and C++ but in a way that has better limit control that can affect speed.
C and C++ is used to make Mac OSX, Linux, Windows, Office, PhotoShop, etc. Important software that need patching because limits are not in place. I demonstrate C and C++ in my article about cross platform code using a video game framework in which I take C based code library called Allegro and combine it with a custom C++ solution I derived. C and C++ are also used to create the overall web technology tools that are commonly used to create web sites and network services that are compromised. C++ has better built-in limit control than C but both often require those that program with those languages to add in additional protections. In many cases, the limits are missing in one or a few areas, particularly in updated areas of new or changed functionality. All it takes is just 1 single missed area in the program and code there may runaway into malware. Just 1 single mistake. Invisible and overlooked among thousands and perhaps millions of lines of computer code during the course of solving problems and adding features. Or, the code is good but the structural design of all the code together is wrong despite appearing to work.
Sometimes though, a lack of limits is what is required either for speed or capacity. Despite the advances in computer hardware, speed and capacity, computers are not fast enough to make complete security practical. You could probably have complete security at Google or on pure IBM hardware but for individual computers and mobile devices, there is a huge gap between what you have in the hardware and what you would need to have a large-scale industry change towards more commonly secured computer programs.
Practical Answers for Users
Use open source technology. Security issues in open source are generally taken more seriously and responded to more quickly. Second, it is rather straightforward to vet, audit, and certify that open source software is secure and so when the code is said to be secure, it often is according to the knowledge and methods available to those that have vetted it. Last, open source is reputation driven and those that build widely adopted open source software have a reputation to maintain.
Keep systems simple. When an operating system is installed, try to keep the defaults. Avoid customizing systems too much. The idea is to have the system as close to how it was tested and certified by the maker of the system. Reduce operational complexity as much as possible. Do not add too much to your system and keep installed programs to a minimum. Follow steps published on the Web for tightening your system’s security to the extent you feel comfortable.
Do not connect to networks for longer than necessary. For example, if you have to send a document, send a message or post something, do the writing ahead of time, then connect, and send. Likewise, if you have to download something, download it and get off. Or, if you are doing online banking, keep the time on the website to a minimum. Just do this naturally and you lower the odds of a compromise.
Upgrade software aggressively to increase the odds you are running the best code at all times. Follow closely the reputations of the software, related complaints, and warnings. Trends such as numerous warnings over a period of years about a certain piece of software may point to software you will want to avoid. An example is Microsoft Internet Explorer. Over many years, there has been many Microsoft Internet Explorer security advisories including one this year about security problems with the software. The lesson is that Microsoft Internet Explorer has many structural flaws natural to its design you will want to avoid if you want to increase the odds your data will remain safe. Mozilla Firefox on the other hand has a great reputation and track record for security.
Patching does not always work. The most obvious example is the huge effort by Microsoft over 10+ years to improve the security of Windows in what was termed the Trustworthy Computing Initiative. After over a $1 Billion in investment, the problem in Windows may be larger than was initially perceived. Still, it has helped in many ways.
Practical Technical Insights
Part of the solution may be to approach computer coding in a more thoughtful way. Computer security may be important enough that rather than learn how to code, you learn security first and you do not dare release software unless you have applied better practice to the work. In the feverish race to have software out quick and gain huge numbers of deployments, the urge to expand aggressively may be counterproductive.
We should not criminalize hacking, cracking, etc., and we should not actively discourage it. Software should be broken, should be compromised, and data should be ferreted away to the extent that people are people and have motivations to engage in these undesirable activities. We should know which software is written right and which software some of us may wish to avoid.
Next, the incentives should shift from cyber-security protection to actively award and remunerate those who are active and demonstrably known to pursue not just secure software but well written software. Clever hacks in code by well-meaning individuals and cleverly written software is part of the security problem. Better software in which the writers of the software aggressively evolves, not just the functionality, but the proper means of realizing that function should be encouraged. This will produce a more productive and beneficial result.
We may have to acknowledge that there is a heavy amount of preexisting code in C and C++ that will probably not get rewritten overnight to be more secure. New software that uses C and C++ by necessity often has to link into some of this preexisting code whether open source of commercial. It may be better to adopt a policy that it is better for a computer program to crash than to continue running potentially into malware. Software code from years past that is linked into new software programs would then function in a program under new rules that void out any deviation from the overall program’s standards. Let it crash if it saves the data from further disclosure or compromise.
The run-time systems that run Java and C# are too heavy whether they are on Linux, Mac OSX, or Windows. It does not matter if you install Mono or Java on Linux or .NET and Java on Windows, they are just too heavy. You cannot really justify the enormous complexity they bring although they do a good job in what they do. I used C# for many years in controlled IT environments in which it worked quite well, but neither it or Java are global solutions in their current forms. What we really need is a pure revision to the C language that adds just enough run-time like behavior to allow for a simple recompile to maintain the performance and granularity characteristics of C with the higher protections on data that can diminish the effective means of malware.
Apple is doing this with their Swift programming language and Microsoft started this with their C++/CX technology. Eventually, Microsoft could revise Microsoft Windows to be more secure than it has been in the past by evolving their Windows Run-time technology. Apple programs on iOS and OSX will become more secure, but all of the background technology written in C will still provide great possibilities for malware. Evolving C is inevitable. Surely sooner would be preferable. You could do similar things to what I am suggesting with tools like Vala. Until such solutions become more widespread however, it would be more productive to solve the problem at the source, C libraries and C compilers. Progress has leaned towards not breaking code that is working and to incrementally arrive at a better outcome.
Better Security is Coming
Even with all the precautions, issues can still occur. The flaws and latent security holes that do remain should be far more difficult to exercise until they can be addressed by future changes in technology. I had written software for a healthy span of time and see that technology has come far in a short time. I am reviewing Robert Seacord’s work to be better informed about the issues, and it good that such information is available in one place. I am optimistic that technology can be improved and allow us to have and maintain information in a way that is socially and financially appropriate. It just takes more work and greater personal and collective vigilance. Just like in the real world. The opportunity is ripe for better solutions.