IEEE to Standardize OS Security Components

aster_ken writes "The Institute of Electrical and Electronic Engineers has started work on a standard for securing operating systems, as a recognition that software security is 'limited by the operating systems that underpin them', the organization said yesterday. The standard, dubbed IEEE P2200, will address external threats and intrinsic flaws arising from software design and engineering practices."

Limited release

That's just great, codify the security aspects of OSes into a $100 document that can't be freely redistributed. That's a really good idea...

So, did anyone else...

[pla]

So, did anyone else read the linked article and think "Looks like someone bought the IEEE's support of TCPA / Palladium"?

I hope not, but it certainly sounds that way. Basically, it makes the point that we cannot trust people not to run programs that break their own (or others) computers, so the task of limiting what (possibly malicious) code can run falls to the OS.

Sad. If I didn't have complete confidence that any DRM scheme will eventually prove itself flawed, I might actually worry. Though, I certainly do not look forward to the general inconvenience it would cause, regardless...


Only education (and not running Outlook) will help reduce the modern plague of worms, virii, spam, and other ways to generally make a computer and the internet grind to a crawl. Not legislation, and not crippled hardware. People simple need to learn how to secure their own damn machines.

Re:So, did anyone else...

[esme]

Basically, it makes the point that we cannot trust people not to run programs that break their own (or others) computers, so the task of limiting what (possibly malicious) code can run falls to the OS.

you know, this basic premise doesn't have to be tied up in DRM. i think any decent security model is going to involve partitioning off system capabilities that aren't appropriate to the current user/situation/time of day/etc.

unix has had this sort of thing for ages, in the form of user permissions, and ulimit. ulimit supports various parameters -- files, memory, cpu, etc. that can be consumed. taking this to its logical conclusion and including bandwidth, address book access, connections to various servers, etc. could provide a pretty logical way to fence in worms.

providing even more restricted environments (like chroot jails or the applet runner) for untrusted code would be a good idea, too. if microsoft is going to insist on allowing people to email executables (screen savers, vbscript, etc.), the world will be better off if they execute in an environment that can't access the network, DoS the local machine, etc.

-esme

Re:Here here!

[bryanthompson]

don't get too excited there, guy. just becuase someone puts out a 'standard' doesn't mean everyone has to follow it. anyone can form an organization to make standards, but they dont' mean anything if nobody wants to follow them.

Not only that, but people like microsoft will just make their own standards and ignore the ones already set. They won't have any affect on anything, imho.

This could be good

[Bruha]

I think it's time for all OS's to accept standards to help people interact with eachother effectively and securely. As everyone know MicroSoft has shunned many attempts at standards in order to control their market share by keeping their users pinned into MicroSoft sanctioned data. This has the effect of forcing businesses to support the MicroSoft users first and everyone second if at all.

I think a security standard should be enforced by a world body to help prevent MicroSoft from once again taking the standard and corrupting it to work only with Windows and .Net applications thus forcing the same cycle of users/companies designing to MS standards again thus shutting out the rest of us from secure systems.

Some would say standards hurt computing that's not exactly the case. You can design products around standards and still compete with other standard compliant products. It allows everyone to remain compatible and at the same time darwinism will take effect with bad products going away and good products evolving to better suit their users.

Re:great...

[GoofyBoy]

>Security is still too volatile.

Better put: Security is in the details.

If I'm going to crash a system then its going to be its specific weakness/flaw and not some standard hole in every product.

The standard will help but it still does not guarentee the implementation will be invulnerable.

Americans and standards

[Tim+Ward]

Um, yes, perhaps.

Remember the reaction of the average American to an international standard is to denounce it as a communist plot, particularly if one of the European standards bodies takes an interest (or even ISO, which most Americans regard as European and therefore communist).

If you want an example of how well Americans make good use of international standards you just have to look at their mobile phone system ... and laugh or weep to taste. (I have this phone which works in 199 countries of the world and doesn't work in one, which is ... guess which? Likewise there's just one county in the world which uses strange paper sizes ... just one country which is so wedded to Imperial units that it crashes spacecraft in preference to following international standards ... and so on and so on ...)

Now, if most operating system manufacturers were European and Japanese this would be a good idea, because they'd be likely to follow any new international standard. But it happens to be a fact of life that many operating systems are produced or contributed to by Americans, so any such idea is dead in the water before it gets off the ground.