RANT : PMMU is Not Security : Zerro Below

All opinions on this site are those of the author alone.
No warranty of any kind is provided.   All information herein is provided as is without any warranty of any kind.


Memory Protection is Not Security :

This is a big one for me. Many people now days associate memory protection and other HW access protection with security, even many that should know better. This is a demonstrably incorrect view.

Security breaches come from software providing a way to access data on the computer. This is true regardless of the hardware access control, including memory protection, hypervisors, security extensions, etc. If the software provides a way to access the data it does not matter if the HW has any protection or not.

Equally if the hardware does not provide any form of memory protection or other access protection an OS and the software running can be completely secure if they do not provide any way for people to access the data on the computer, unless they are supposed to access the information. This is especially true of not allowing remote access to data, and is up to the software installed and running on the computer. This is just as true for systems that have multiple user accounts.

The only way to protect the information on your computer from people that are not at your computer over the network (including internet) is to not have any software that is able to allow them said access. This is especially true today, as backdoors keep being found to gain access to remote systems if the software provides the ability for remote access. Thus avoid having secure shell login ability in your software, avoid having VNC (or any equivalent) access, etc. If you know that there is not any software to allow access then you know that it can not be accessed. It does not matter if there is any HW protection of any kind.

This is also my biggest gripe about using Unix Like OS's on desktop computers. These OS's are designed to provide timesharing services on a local network, that is they are meant for remote access and have software to allow such access as standard. It is possible to secure these systems, though a lot of work is involved in removing and disabling everything that is unwanted. Once secured there is no good reason to be using a Unix like OS on your desktop computer, it is better to use an OS intended for Desktop Computing from the ground up.

The same issues as for Unix likes (including Linux) also apply to the NT OS's for the exact same reasons. Again it is better to use a different OS for desktop computing. NT OS's and Unix like OS's have there place on local networks that host multiple users on a central system, and either do not have anything sensitive in nature, or do not have an internet connection.

Telnet and SSL should not be allowed at the system level. Instead think about them like BBS Systems of old, and have dedicated software to host them that does not have any way to allow access to the OS shell or other means of controling the system. Well written BBS Software will only allow for files that are hosted on the BBS to be accessed by those logged in remotely. The BBS hosting software should provide the telnet interface (no OS or shared libs please), as well as the encryption used. Remember that Telnet is used to host modern BBS systems still today.

ALSO: Any files you can access over the internet (such as on a " Cloud Drive") can potentially be accessed by anyone else. While these services try to provide some level of security, they still must allow the user access to there files. When a security hole is discovered in the OS or host software used by the service provider, then everyone that is aware of the security hole can potentially access your files. As such if you store files on a server of any kind make sure that you only store files that are ok for anyone in the world to see (and do not have any secure information on the computers that can access said system).



This site hosted by NEOCITIES
© 2022 David Cagle