This evening, I was watching—again—the classic John Carpenter movie, “Escape from New York.” What struck me about this movie (made in 1981) was how many things seem to somewhat correspond to more recent events.

For instance, the film begins with an airliner hijacked by terrorists and crashed into a building in Manhattan. There is a new, major government bureaucracy with law enforcement capabilities ala DHS (Lee Van Cleef even looks a little like Michael Chertoff). And there is a major prison on an island where people—especially terrorists and political prisoners—are sent and cannot get out. Trials seem to be abbreviated and maybe not even held. There is a long, unresolved war going on. And so on….

There are other parallels, but it depends on how you view the movie. I hadn’t seen it in years, so it really struck me how many items seemed ... eerily familiar. I’m a bit reluctant now to rewatch other Carpenter movies, such as Escape from LA, The Thing, and Ghosts of Mars!

It’s a great movie, so let me recommend that you watch it again if you haven’t seen it recently ... or at all: I know that many of my students haven’t seen it yet, and they should. They might be surprised—Snake Plissken isn’t dead yet.

If you watch it, let me know what you think!

I’ve ranted before about how insecure web browsers are, because they trust themselves, their libraries and user-added plug-ins too much.  At a very high level, they have responsibilities that can be likened to those of operating systems, because they run potentially dangerous code from different sources (users vs web sites) and need to do it separately from each other and from root (the user account running the browser), i.e., securely.  The web browsers of today look as ridiculous to me as the thought of using Windows 95 to run enterprise servers.  Run an insecure plugin , get owned (e.g., Quicktime).  Enable JavaScript, VBScript, ActiveX, Java, get owned.  Get owned because the web browser depends on libraries that have more than 6-month-old vulnerabilities (1-year old depending on how you count), and the whole thing collapses like a house of cards.  As long as they are internally so open and naive, web browsers will keep having shameful security records and be unworthy of our trust. 

IE 7’s protected mode needs to be acknowledged as a security effort, but CanSecWest proved that it didn’t isolate Flash well enough.  It’s not clear if a configuration issue was involved, but I don’t care—most people won’t configure it right either then.  IE 7’s protected mode is a collection of good measures, such as applying least privilege and separation of privilege, and intercepting system API calls, but it is difficult to verify and explain how it all fits together, and be sure that there are no gaps.  More importantly, it relies heavily on the slippery slope of asking the user to appropriately and correctly grant higher permissions.  We know where that leads—most everything gets granted and the security is defeated.

Someone not only thought of a proper security architecture for web browsers but did it (see “Secure web browsing with the OP web browser” by Chris Grier, Shuo Tang, and Samuel T. King).  There’s a browser kernel, and everything else is well compartmentalized and isolated.  Similarly to the best operating system architectures for security, the kernel is very small (1221 lines of code), has limited functionality, and doesn’t run plug-ins inside kernel space (I’d love to have no drivers in my OS kernel as well…).  It’s not clear if it’s a minimal or “true” micro-kernel—the authors steer clear of that discussion.  Even malicious hosted ads (e.g., Yahoo! has had repeated experiences with this) are quarantined with a “provider domain policy”.  This is an interesting read, and very encouraging.  I’d love to play with it, but I can’t find a download.

Just a quick note that Eugene Spafford, Executive Director of CERIAS, will be giving testimony this morning at 10 a.m before the House Ways and Means Committee at a “Hearing on Employment Eligibility Verification Systems and the Potential Impacts on SSA’s Ability to Serve Retirees, People with Disabilities, and Workers.” You can view the broadcast live by visiting the hearing’s page and clicking on “Click Here to View Committee Proceedings Live.”

Last week my script that processes and logs daily CVE changes broke.  It truncated inputs larger than 16000 bytes, because I believed that no CVE entry should ever be that large, therefore indicating some sort of trouble if it ever was.  Guess what…  The entry for CVE-2006-4339 reached 16941 bytes, with 352 references.  This is an OpenSSL issue, and highlights how much we are dependent on it.  It’s impressive work from MITRE’s CVE team in locating and keeping track of all these references.

It occurred to me that virtual machine monitors (VMMs) provide similar functionality to that of operating systems.  Virtualization supports functions such as these:

1. Availability
• Minimized downtime for patching OSes and applications
         
• Restart a crashed OS or server
2. Scalability
• More or different images as demand changes
3. Isolation and compartmentalization
4. Better hardware utilization
5. Hardware abstraction for OSes
• Support legacy platforms

Compare it to the list of operating system duties:

1. Availability
• Minimized downtime for patching applications
         
• Restart crashed applications
     
2. Scalability
• More or different processes as demand changes
3. Isolation and compartmentalization
• Protected memory
• Accounts, capabilities
4. Better hardware utilization (with processes)
5. Hardware abstraction for applications

The similarity suggests that virtualization solutions compete with operating systems.  I now believe that a part of their success must be because operating systems do not satisfy these needs well enough, not taking into account the capability to run legacy operating systems or entirely different operating systems simultaneously.  Typical operating systems lack security, reliability and ease of maintenance.  They have drivers in kernel space;  Windows Vista thankfully now has them in user space, and Linux is moving in that direction.  The complexity is staggering.  This is reflected in the security guidance;  hardening guides and “benchmarks” (essentially an evaluation of configuration settings) are long and complex.  The attempt to solve the federal IT maintenance and compliance problem created the SCAP and XCCDF standards, which are currently ambiguously specified, buggy and very complex.  The result of all this is intensive, stressful and inefficient maintenance in an environment of numerous and unending vulnerability advisories and patches.

What it looks like is that we have sinking boats, so we’re putting them inside a bigger, more powerful boat, virtualization.  In reality, virtualization typically depends on another, full-blown operating system. 

VMWare ESX Server runs its own OS with drivers.  Xen and offerings based on it have a full, general purpose OS in domain 0, in control and command of the VMM (notwithstanding disaggregation).  Microsoft’s “Hyper-V” requires a full-blown Windows operating system to run it.  So what we’re doing is really exchanging an untrusted OS for another, that we should trust more for some reason.  This other OS also needs patches, configuration and maintenance.  Now we have multiple OSes to maintain!  What did we gain?  We don’t trust OSes but we trust “virtualization” that depends on more OSes?  At least ESX is “only” 50 MB, simpler and smaller than the others, but the number of defects/MB of binary code as measured by patches issued is not convincing.

I’m now not convinced that a virtualization solution + guest OS is significantly more secure or functional than just one well-designed OS could be, in theory.  Defense in depth is good, but the extent of the spread of virtualization may be an admission that we don’t trust operating systems enough to let them stand on their own.  The practice of wiping and reinstalling an OS after an application or an account is compromised, or deploying a new image by default suggests that there is little trust in the depth provided by current OSes. 

As for ease of management and availability vs patching, I don’t see why operating systems would be unable to be managed in a smart manner just like ESX is, migrating applications as necessary.  ESX is an operating system anyway…  I believe that all the special things that a virtualization solution does for functionality and security, as well as the “new” opportunities being researched, could be done as well by a trustworthy, properly designed OS;  there may be a thesis or two in figuring out how to implement them back in an operating system. 

What virtualization vendors are really doing is a clever way to smoothly replace one operating system with another. This may be how an OS monopoly could be dislodged, and perhaps would explain the virtualization-unfriendly clauses in the licensing options for Vista:  virtualization could become a threat to the dominance of Windows, if application developers started coding for the underlying OS instead of the guest.  Of course, even with a better OS we’d still need virtualization for testbeds like ReAssure,  and for legacy applications.  Perhaps ReAssure could help test new, better operating systems.
(This text is the essence of my presentation in the panel on virtualization at the 2008 CERIAS symposium).

Related reading:
Heiser G et al. (2007) Towards trustworthy computing systems: Taking microkernels to the next level.  ACM Operating Systems Review, 41
Tanenbaum AS, Herder JN and Bos H (2006) Can we make operating systems reliable and secure?  Computer, 39