By: Larry Seltzer
As far as security goes, the operating system of the future is, in many ways, here today. Led, somewhat ironically, by Microsoft Windows, operating system vendors and some other software vendors have been making their products more secure by default. They also have been providing tools and best-practice guidelines for application developers to improve security.
If everyone adopted the most current versions of software and followed state-of-the-art practices in software development, the future would be here today. Alas, things are never that easy.
The Internet caused the escalating software security problem, and the protection of Web browsers and other Internet-facing software has been the greatest imperative of security developers. The techniques designed to protect these programs will find their way into other applications and the core of the operating system itself.
Recent security research has found limited cracks in the walls put up with DEP (data execution prevention), ASLR (address space layout randomization) and other systemic protection technologies. But the developers of these protections understand that they're not impenetrable barriers; they are obstacles put in the way of exploits, making it harder and harder to accomplish them. The more such obstacles that are put in place, the harder it is to carry out a real-world exploit-as opposed to a laboratory one-and the less serious the implications of the exploit will be. This is called defense in depth.
The good news about these techniques is that they should not change the way applications operate-except for certain egregious cases-and you get the security for free. They make some programming techniques, self-modifying code in particular, the inherent problems they should be. The real problem, which we have been experiencing for the many years that DEP and ASLR have been implemented in Windows, is that many applications we use don't opt-in to them.