Reacting to Malware
There are these reactions to malware:
The first three reactions complement each other and make it more likely that the program behaves as the programmer intended.
Only the last two address the issue of the malicious programmer whose code is introduced to the machine thru first class channels, such as “the App Store”.
Most researchers unconsciously assume that the last goal is theoretically impossible.
The first three reactions complement the capability solution.
Capabilities were invented and implemented long before the word “malware”.
- Obfuscation such as ASLR which burdens some attacks with having to guess or otherwise learn the address of target code.
DEP (Denial of Execution Privileges, such as the NX bit in the x86 page table entry) is another amelioration of this error.
Such target code must have flaws as well to be derailed into obeying bits not from the compiler.
- Better languages and compilers to avoid invalid code.
This assumes that the programmer intended to “do the right thing”.
- Details about the ISA (Instructions Set Architecture) which makes innocent but invalid programs less likely to be gullible to maliciously crafted external messages.
- Sandboxing, like capabilities, provides a degree of component level authority attenuation.
It is a far cry from a full cap system.
- Macroscopic authority limitation, such as provided by capability discipline as provided by a capability kernel.
Then function, such as normally provided by a conventional kernel is divided into many parts each running with much less authority to be abused.
Language design could encompass dividing the world into mutually suspicious complexes, but much invention remains to be done.
These two styles:
complement each other.
To contend with programs written by a malicious programmer you need the former style.
To contend with maliciously crafted messages from the outside the latter style helps but the former makes system take-over still very difficult for the attacker must overcome many layers of abstraction by finding many flaws to reach to pay-dirt.
Further the attacker may penetrate an abstraction and find the he has compromised some abstraction but is inside the wrong instance of that abstraction.
- separate system into many address spaces or ‘capability object model’,
- eliminate ‘undefined behavior’ at language level or mostly ‘capability based addressing’.
This site is mainly about the first style — subdivide the world.