Intel x86 considered harmful – survey of attacks against x86 over last 10 years

Probably worth pointing out that the author is the project lead of Qubes, one of the very few promising projects in the vast wasteland of computer security.

Link for the lazy: https://www.qubes-os.org/

Very few? Seriously?

Yeah man the only good things in CS are Postgres and common lisp. Everything else is a waste of time.

Seriously. The vast majority of computer security effort is wasted on things like the advisory-and-patch cycle, pen testing, and virus scanning, which can never, by their very nature, provide computer security. That's not to say you don't have to do them — it's just that they're not productive.

I think he means there are few operating systems out there that make security the primary goal. Most other options seem to think in terms of "how can we best secure the platform we already have and is used by millions of people without breaking anything".

When that's what you're working with, you're limiting yourself quite a bit in terms of adding new security solutions. At best you'll be at least a decade behind the innovators in security who aren't afraid to build new stuff from scratch and break the old stuff.

No, that's not what I mean, and that's not what Qubes is.

Making security the primary goal of your operating system would be nearly as perverse as making swapping the primary goal of your operating system. The primary reason security seems special here is that we do have working swapping in our operating systems, but we don't have working security.

Nevertheless, if you try to add virtual memory to an operating system that was designed without knowledge of how such a thing could work (like nearly all 1960s operating systems) it is going to be pretty rough going! Today, security is where virtual memory was 50 years ago.

Qubes is interesting especially because it doesn't break compatibility with everything else.

Oh, I understand now and I agree wholeheartedly.

There's been some exciting progress in the formal verification department in recent years, though.

I agree!

I totally agree with him that the vast majority of INFOSEC products are a waste. Just take any of them and compare them to the risks in my enumeration. Also, note what pre-requisites for security their development processes have vs that list. You'll find the most projects are to secure computing what night is to day. ;)

http://pastebin.com/y3PufJ0V

I critiqued QubesOS in the past over re-inventing the wheel and on a highly insecure platform. Her recent write-up supports my critique more than ever. Regardless, they're at least doing something with provable benefit and high usability on a platform with proven benefit, both of which can be further secured or extended by others. An exception to the rule of mainstream INFOSEC where the sense of security is almost entirely false as no effort is taken to address TCB.

The only project in this space leveraging best practices in TCB or architecture is GenodeOS. They're doing what I suggested QubesOS do a while back: build on all proven, low-TCB techniques in academia. Main critique I had of them is they're too flexible and need to focus on a single stack long enough to get it working solidly like Qubes team did. They stay building on and integrating the better stuff out of L4 family of security engineering research, though.

Try crash-safe.org or Cambrige's CHERI for hardware; Qflow w/ YoSys for OSS synthesis; Microsoft's VerveOS for OS correctness; Racket for LISP; Google's F1 RDBMS for databases; Ur/Web for web apps; Cornell's JIF/SIF/SWIFT/Fabric for distributed apps; Coqasm for assembler; CompCert and CakeML for compilers/tooling.

That's just a tiny selection from my collection. Lots of exciting things going on for secure and correct tools that are still powerful. Postgres and Common LISP are both weak and boring in comparison despite being good tools. :P

That's what any VMM-style solution does, though. They use basic isolation and controlled sharing while letting problems remain in every other component. Nothing special there and doesn't address many security threats that hit other parts.

I mainly consider solutions like Qubes to be for preventing accidental leaks, containing damage from regular malware, and making recovery easier. Much like the Compartmented Mode Workstations and MILS virtualization that came before it.

Real, more-thorough security will break compatibility or take a huge performance/functionality hit. Was true in any system designed to high assurance or surviving NSA pentesting. Will be more true for whatever supports legacy applications on today's more complex, leaky ISA's/API's. CheriBSD is closest thing to an exception but I don't even trust its monolithic parts due to how attacks can jump around in a system. Nizza Architecture on non-Intel, security-enhanced processors is best model for now given we can at least isolate security-critical apps into their own partitions on tiny TCB's. No mature FOSS implements that, though.

So, regular malware defence with Qubes, etc and energy-gapped systems + KVM's + guards for high-strength attacker defence remain the options.

I don't know if I understand how most of these things could be considered secure unless they've been heavily attacked already.

Are they all so much more secure by design that you consider them to be great projects?

My experience is heavily with server-side web languages, so I'm particularly skeptical of those. Even the most secure-seeming web languages have buggy, insecure implementations at first.

Those projects are mostly research into how to make software and hardware less buggy; most of them are not themselves written with a threat model in mind.

Exactly. Most could be, though, if people put forth the effort. So I keep mentioning such work.

Note: This comment is mainly for others reading along. Something I do on forums. I know you already understand this point.

The game console guys have their act together. Well, Microsoft, anyway. And Apple is doing a great job on the mobile OS side of things. There's also some very interesting hypervisor work coming out of the Windows 10 group.

So "most" is probably okay. with a couple noticeable exceptions:

Android needs to get its shit together. Not letting any old manufacturer write device drivers with jaw-droppingly bad security holes would be a start. I last looked at vendor-provided drivers in 2010 or so and I very much doubt they have improved.

(A while ago I wanted to store a secret on an Android device. And I couldn't do it. Ten year old platform and no effective secure storage; did the ghost of J Edgar Hoover visit Google and threaten them?)

Network equipment manufacturers: Why even bother with a home router when some code monkey stuck a hard-coded password into the firmware? I'd love to be able to inspect the code on the device I'm trusting to keep my network safe. Interesting that DDWRT is under political attack, isn't it?