Are there "immutable laws of security"?

There has been a lively discussion on "immutable laws of security" posted on Microsoft Technet. Do those laws really exist - or are they simply a consequence of specific software architectures? How do we approach such a question?

A well known method of text analysis is the so called structural text-analysis. This method tries to uncover the set of logical statements within and behind a text. Used this way the method allows us to learn the set of statements that can be derived from a text. But the method can also be used to uncover the per-conditions of a text: what statements need to be logically implied if the statements in a text should make sense? The method is "structural" in the sense of all those implicit statements and the explicit text need to form a logical structure. This is not really a strange idea. Everybody who has been involved in the creation of several related texts within groups has made the experience that in the beginning the document content seems to be arbitrary but after a while the documents start constraining the content of the other documents.

Applied to our "immutable laws" we can uncover the silent assumptions behind those laws. The same method btw. can be used to decode political speech and the hidden statements and assumptions behind.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

There are bad guys and good guys. Owners of computers will usually not run software from other people on their machine. People can be persuaded to install other people's software. Getting persuaded to install software from "bad" guys is an error of the computer owner. If the software owner is bad, the computer owner loses control. If the software owner is "good" the computer owner will not lose control. Software takes control of complete computers through the process of installation and running the program.

The text leaves interesting logical holes: nothing is said about how to distinguish "bad" guys from "good" guys. Nothing is said about the differences in software between those guys. A computer cannot defend itself in case of installation of software from "bad" guys. No explanation is given WHY the computer owner loses control through installation of software or why the computer cannot defend itself..

Call me picky but the logic given in those statements has a hard time constituting "immutable laws" of security. The statements prescribe the way certain operating systems work as canonical, nothing more. There are lots of alternatives that do not make a system dependent on the psychological state of a programmer. Take a look at the capability work at erights.org and the captalk mailing list to get an understanding. If you are not into software just take everyday things like cars and apply the "laws" to those: "if somebody changes a lightbulb on your car you will no longer have control over it.." to see how hopelessly dependend on concrete implementations of systems those "immutable security laws" really are.

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Operating systems control a computer. Bad guys can change the operating system. If this happens a computer owner loses control of the computer. The operating system gives user control of the computer. No explanations why and how the change of an operating system happens. Bringing law1 and law2 together one can conclude that installation of foreign software might be a means to do so. Any change in an operating system will have the effect of losing control. No explanation is given why any change has such drastic consequences. (compare with a dead headlight in your car: the brakes/engine etc. still work). Operating systems have all or nothing characteristics.

Again, the statement that an OS is all-or-nothing cannot be an immutable law because it depends on implementation characteristics of systems whether they exhibit such a behavior.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

Unrestricted physical access to a computer causes the complete loss of control over this computer for the owner. No explanation is given why this all-or-nothing behavior is exhibited by the computer and its operating system - which controls the computer as we have learned form law2. No explanation is given on what "physical access means but from cultural knowledge we can conclude that it means change of harddisks etc. No means of protection of a computer system exist that would survive physical tampering.

Think about harddisk encryption, keys on smartcards and in general the principle of protection through cryptographic secrets and you will understand that again we hear about a specific implementation of an OS and NOT about immutable laws.

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

This is just a variation of law number one but assumes that the computing platform of a website has the same problematic use of ambient authority as a PC. The Cross-site-scripting dangers are not mentioned.

Law #5: Weak passwords trump strong security

The assumptions behind are: there is a possibility of strong security using passwords. There are strong passwords and weak passwords. With strong passwords security is OK. Now what makes passwords weak? You got it - it's the dreaded user again. All the users fault if they are too dumb to remember long and arbitrary sequences of alphanumeric characters with the occasional special char mixed in. Againd the same pattern as above: put the blame on somebody else. The facts: Passwords are NO GOOD security mechanism in ANY case. The password mechanism requires giving a secret away and therefor relies on all participants to be "good" (don't they just love the good guys at Microsoft? It only gets better when they make the Bitcom lobbyists demand tougher laws to keep the "bad" guys from doing their stuff. It has NOTHING to do with software architecture of course...). Passwords do NEVER scale and cannot provide non-repudiation. Given the human weaknesses password synchronization MUST happen and will cause complete breaddown of a security mechanism. There is no "strong" security if a password mechanism is included! Again the failure mode is "complete and utterly" and not gradually.

Law #6: A computer is only as secure as the administrator is trustworthy

This "law" assumes that all computer systems have/need an allmighty administrator. The administrator is controlled through "trust" and there is no other way. There is nothing internal in a computer system that cannot be changed or circumvented if an administrator wants.The facts: There are a lot of approaches to provide mandatory control which of course also includes a full audit path. Cryptographic means can prevent administrators from manipulating the system. Fine-grained control through software is possible which restricts the power (and the need for) of an administrator. The well-known and bad concept of an administrator in Unix and Windows is taken as a law. And on top of that: security has nothing to do with "trusting" a person - quite the opposite is true. You get security if you do NOT TRUST somebody. The fact that you need to have trust in somebody working on computer simply shows a huge problem in the software architecture of your system.

Law #7: Encrypted data is only as secure as the decryption key

A decryption key is able to recover the original text from an encrypted message. Decryption keys are not secure. The keys need to be protected. There are ways to steal those keys. The facts: yes, key management is a problem. But what about smartcards? And why is key management such a problem on PCs? Because a PC with the typical OS running on it has problems keeping the keys secure. No ways to attack stored keys are given.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

A virus scanner detects viruses. New viruses show up every day. The virus scanner needs to learn about the new viruses. Updates are the mechanism of choice to do so. The more often the better because of the many new viruses that show up every day. There is a period of time between the appearence of a virus and the time the scanner learns about it. During this period the system is utterly defenseless and helpless against the new virus. No explanations are given why that is so. I 've explained it many times why malware is dangerous because of bad software architecture and will not repeat myself here. The "law" simply restates that virus scanners are the defensive measure of choice against malware - which is utterly wrong from a system persepective. And why would a virus scanner be outdated? Yes, because of the brainless user again! Did he forget to update the scanner? Did he get careless? Why don't the vendors install updates automatically? Why do we have to confirm something that cannot be our concern anyway? It is to keep up the illusion that security of a system is the business of the user. It is not. It is the business of software architecture and therefore of the software vendors of operating systems.

Law #9: Absolute anonymity isn't practical, in real life or on the Web

The interpretation of this law depends a lot on how one interprets "not practical". Does it mean "not possible" or "not useful"? Depending on the outcome this law is either trying to defend the way Windows betrays their users with respect to their privacy (see the Garfinkel thesis on usablity and security for more information) or a rather useless statement by itself.

Law #10: Technology is not a panacea

Assumes there are problems which won't be solved by technology. Again, either a rather pointless statement or - in the context of the whole text on "laws" a try to emphasize the users responsibilities for the security of his computer system. I bet the Microsoft employess perform a brake check, engine check and lights check on their vehicles every morning - we know, technology is not a panacea.

This text on "immutable laws" is another case of Microsft trying to put the blame of their security vulnerabilities on somebody elses desk. The first approach was putting the blame on the user and her lack of education in computer security. I have written about this in "security and usability" and the 10. BSI Security Conference was a good place to see this argument at work. (The user needs to be taught about malware and viruses, trojans etc. Sure, brake maintenance, head gaskets etc. - that's what you learn when you buy a car????)

Now they are not even satisfied with putting the blame on the user. Now they need IMMUTABLE LAWS that say that operating systems always show an all-or-nothing behavior towards failures and attacks, that no crypto survives physical tampering and so on. But by now you are hopefully aware that those statements come from the markteting department of Microsoft and that they are not backed by engineering laws at all.

There is something to learn from those "laws". It is that every security statement that contains COMPUTING MECHANISMS depends on the system context. The expression "immutable" is both ridiculously wrong in general and sadly true with respect to a particular operating systems security architecture: For an OS that uses ACLs and tons of ambient authority the laws mentioned above truly ARE IMMUTABLE. For a better architecture they are not of course.

The whole thing shows nicely how business interests, technology, users and arguments form what in other contexts is called ideology. Here it is the ideology of a computer system necessarily being helpless. The ideology of all-or-nothing security of an operating system. And asis always the case with ideologies - current practices re-inforce and confirm the mechanisms behind. Using virus scanners - of course, what else should a clever computer user do? Update (and pay) frequently for bug fixes concerning security faults - of course, otherwise the immutable laws will hit me. Do not run "untrusted" software, I mean you do know who you can/should trust?

Only when the assumptions BEHIND those laws are uncovered does the ideology become visible.