September 11 2022
The security model for personal computers is completely broken. This includes Microsoft Windows, Linux, Unix, MacOS, Android, and IOS. They were all designed for a world where users had to be authenticated while programs were assumed to be trustworthy. That is, all trust in a user extended to any program he would ever run. This model breaks down completely in a world that includes trojan malware.
Malware is a program that appears to be useful, helpful, and benign but is actually performing malicious work in the background, with the user completely unaware. A classic example is a weather app. To the user's perspective, all it does is download the daily weather maps and present them on the screen. In actuality, it is logging keystrokes and monitoring network access, fishing for bank passwords that can be uploaded to its command-and-control server in Russia. The user is never alerted to any of this activity since he granted the program network access rights, which is necessary for its overt purpose of downloading the weather maps.
The security model failed because it was focused solely on authenticating the user. Once the user was authenticated, that trust was extended implicitly to every program he launched, including the malicious weather app that he was fooled into trusting. It was the app that was the bad actor, not the user.
The current trend of breaking down permissions when the app is first install is both misguided and actively degrades security. When was the last time you installed an app that did not require network access? Users need to understand that when they see a dialog with "Do you want to allow this program to make changes to your computer?" clicking YES allows that program to do anything it wants now and forever, and any harm is likely to be done milliseconds after clicking that button. Every app now demands all the basic permissions (network access is essentially all any malware needs) or refuses to install. This puts the user in the position of ignoring the risk of trojan malware or never installing any apps at all. Malware authors rely on 99.99% of users clicking OK and ignoring the risk. This security model actively degrades security and promotes malware by providing security theater in the form of presenting the risks while training users to ignore the risks and click OK. Meanwhile, the system vendors (Google, Apple, Microsoft) use this model to shift responsibility and blame for executing malware from themselves onto the individual user.
Any security model needs to diligently authenticate the user, then extend that same level of untrust to every program. Every program needs to authenticate itself to the OS and/or the authenticated user, and not just to install and launch, but for every significant action that could be considered a security risk. This sounds more complicated than it is, but it requires a fundamently different approach to program permissions.
Take network access as an example. The user still logs in to his Windows machine using a name/password. This authenticates the user and grants a set of user-centric permissions, such as file and directory access and the ability to run certain programs. The user launches the web browser, which is digitally signed by Microsoft with a key that grants the program network access. The user downloads a random weather app from a random website. His authenticated user account grants him permission to save the app locally and to run it. The app is not digitally signed, so it has no permissions beyond basic IO (keyboard, mouse, and display). The first thing the app does is try to open a network connection to its command-and-control server. Since the app has not been granted this permission, but neither has it been denied, a User Access Control (UAC) dialog is presented to allow the user to decide how to proceed. The user is informed that the weather app wants to open a network connection and the domain name it is trying to reach. The user can now select from five options: Yes, always; Yes, this session; Yes, this once; No, this session; No, always. There is also a checkbox to apply this policy to all domains; leaving it unchecked will trigger a UAC for each domain it tries to reach. The response is recorded and used for subsequent attempts. Most programs, with the exception of web browsers, should only need to communicate with a small number of domains -- reaching out to a large number of domains is a serious yellow flag warning.
A similar approach applies to local file access, configuration changes, microphone and camera access, anything that could compromise the user's security and privacy. Every UAC tells the user exactly what resource is being requested so that an truly informed decision can be made.
The fundamental change is that no permissions are granted at install time; it is impossible for the user to make a truly informed decision at that point. Permissions are instead granted or denied when the program actually tries to perform the action, when the system can present all the information the user needs to make an educated decision.
Ransomware would never work under this model. If the weather app contained trojan ransomware, it would need to pop up a series of UAC dialogs requesting write access to the user's personal files -- something the user would never grant to a weather app. The user could even co-opt the malware by allowing it network access to https://noa.gov while denying access to https://Ivan.ru .
---
I cannot possibly be the only person who sees this, yet all the major OS vendors continue to push either the same broken security models or inventing new models that are only superficially different. Some of the vendors (Google) are ingenuous because their corporate revenue is dependent on broken security. Others (Apple) profess to be the protectors of user security and privacy because it is good PR, while continuing to ignore how broken their OS actually is. Microsoft ignores the problem because fixing it is too complicated, both for their engineers and their users. Linux is able to ignore the problem simply because it either runs on managed servers tucked away in a data center or is installed on so few machines that it is not worth the effort to attack. It is discouraging.
Malware is a scourge that will not go away. I know enough about the threat that I no longer fully trust any software. Every time I install new software, I wonder what it is really doing and there is no way to find out. WireShark is useless since everything is now encrypted into an opaque https stream. Even if it weren't encrypted, understanding what is happening requires knowing every ad hoc protocol invented by every program. Local firewalls are useless because every installer creates new firewall rules to allow free access to itself.
Comments are moderated. Anonymous comments are not visible to others until moderated. Comments are owned by the author but may be removed or reused (but not modified) by this site at any time without notice.