One of the great, classic articles of computer security comes from Microsoft in an era when security was not their strong suit. The article “10 Immutable Laws of Security” by Scott Culp relates rules which ring as true today as they did in 2000 when the article was written-or do they?
Now Jesper M. Johansson, a Microsoft MVP and Ph.D in MIS has begun a series of articles re-examining the laws. The first in the series looks at laws 1 through 3. They’re all important laws, but in the eight years since they were formulated have things changed to make them less true?
The first law is something you hear all the time from every reputable source: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore. Once you let someone execute code on your system there are ways for them to take control of it. What has happened in this regard since 2000? Johansson points out that in 2000 the mainstream operating systems, Windows 98 and NT 4.0, were certainly under the thumb of this law. The 9x generation of Windows didn’t have any way to prevent others from running code on your system.
NT had a basic model of privileges so in theory you might be able to prevent malicious code from running or mitigate its effects. But as a practical matter, it didn’t work very well and the system was so full of holes that it couldn’t be effectively secured. As Johansson says, anyone who wanted to get work done in NT4 ran it as Administrator, which means that any malicious code did as well. That year Windows 2000 was released, improving the situation, but by less than it seemed at the time.
Windows Vista and Windows Server 2008, the current shipping versions, are clearly far more secure products than those of eight years ago. Does that mean that Law No. 1 is no more? No way. But things are different. Johansson notes IE Protected Mode as one of several “security boundaries” that did not exist eight years ago, but doesn’t go very far with it. I think IE Protected Mode really does represent a meaningful dent in the first law, although I hope nobody thinks I’m saying that Vista is now bulletproof. And in spite of IE Protected Mode there have been vulnerabilities in IE7 on Vista that Microsoft said could result in remote code execution. But clearly it has also effectively sandboxed many attacks; they may get to run through IE, but they can’t do much of value to an attacker.
And it’s not just Windows; anti-virus protection in 2000 was many generations behind where it is now, where top-notch protection includes a host-intrusion prevention system, software which monitors running processes for activity which appears malicious. These systems are not perfect, but clearly they do stop some attacks. Once again, a dent in law No. 1, but you’re still best served by assuming the law stands because you can’t rely on the protection.
Law No. 2
Law No. 2 states that If a bad guy can alter the operating system on your computer, it’s not your computer anymore. In a way, this is a corollary of law No. 1 because the attacker would probably have to run his own code in order to alter the operating system on your computer, but Johansson points out that the operating system, as a practical matter, is a huge and complicated beast, incorporating not only program files but settings, for instance in the registry or ACLs in the file system.
He also points out that there are files, such as edlin.exe, which are part of the operating system but which could be modified with no meaningful consequence to the system. But if an attacker can alter edlin, they can probably also alter more important files. If they can alter edlin then some important defense of the system has broken down, and the system as a whole probably has to be considered untrustworthy.
Law No. 3 is one I’ve written about many times: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore. This is the 1 of the 3 for which things may have changed the most. In 2000 it was absolutely true. Culp makes passing reference to the then-new EFS (Encrypting File System) in Windows 2000, but it had very little real-world footprint at the time. Also, since it’s not a full-disk encryption system, there were limits to the protection it could provide. As Johansson points out, there are plenty of tools available, in the form of boot disks, to reset the administrator password in the local SAM (software asset management) hive.
Full-disk encryption, an increasingly popular technology in enterprises, makes this much harder. It’s possible to configure such systems so that the system credentials, and therefore the encryption keys, can be obtained, but it’s also possible to defeat these attacks through the use of 2-factor authentication.
Bottom line: Law No. 3 has some clear exception cases, but for the large majority of us it still holds. And the exceptions are not just new technology, but inconvenient, so they are unlikely to be widely adopted any time soon.
There is a history of critics pointing to all of these laws, especially No. 3, as excuses by Microsoft for not fixing their own problems, but this is shallow thinking. It’s easy to demonstrate that they all apply to other platforms as well. Consider No. 2, about modifying the operating system: rootkits, the ultimate form of this compromise, originated on UNIX many years before they were on Windows. Perhaps Law No. 11 is that a security problem doesn’t become important until it affects Windows.
We’ll see how things work out for laws 4 through 10 as Johansson sees it, but I see a pattern. The improvements in security in recent years are designed to help you avoid the situations embodied in the laws, not to break the laws. There has been some improvement around the margins, but basically the rules are standing.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.