Gary McGraw & Greg Hoglund
In the late '90s, the security market boomed as organizations deployed network-based solutions. Yet, exploits continue to rise despite years of investment in firewalls, IDSes, AV and cryptography.
In the future, attackers will have a tougher time picking targets, as platforms with tailored functions offer a much narrower target.
Why? Because network-based defense mechanisms don't address the heart of the problem: bad software.
Perimeter defenses are reactive: They block packets to this or that port; scan for files that include this or that pattern; and throw partial and oversized packets away without looking at them. We're scrambling to compensate for the porous software that processes the packets penetrating our perimeter defenses. This software security problem will likely get worse before it gets better because the software itself is changing faster than software security technology.
We've identified seven broad trends that will help you understand how software is evolving and how it will impact security. We believe these trends will exacerbate the root causes of software problems: what we call the "Trinity of Trouble" complexity, extensibility and connectivity.
7 Software Trends
These seven major trends will define the future of software:
1. - Disappearance of Bloated Operating Systems
2. - Evolution of Components and Objects
3. - Rise of Mobile Code
4. - Normalization of Distributed Computation
5. - Proliferation of Embedded Systems
6. - Mass Adoption of Wireless Networks
7. - Change in Payment Models
TREND 1: Disappearance of Bloated Operating Systems
What's happening now: Microsoft's integration of Internet Explorer into its OS is no accident. The line between OS and application has blurred. Activities that once required dedicated apps now come standard, and what appear to be stand-alone apps often are mere faces created on top of multiple OS services. This has a lot of marketing appeal, but the bottom line is that operating systems tend to do too much, and this complexity undermines OS security and reliability. The antidote to OS bloating is the rise of encapsulation models, such as Java and Microsoft's .NET virtual machines (VMs).
Security risk: Deep OS integration runs counter to the principle of compartmentalization. Attackers can compromise the OS as a side effect of exploiting a deeply integrated app. But the growing use of VMs, which encapsulate OS services and protect them from the outside, results in much tighter control over programs than a generic OS. This is a boon for software security. However, advanced security models for VMs are hard to get right, since they use less understood language-based security mechanisms. As a result, the Java Virtual Machine (JVM) has been the target of numerous software exploits through attack applets.
The trend: The continuing proliferation of platforms like JVM and .NET brings the idea that VMs can really deliver "write once, run anywhere" software. We'll see two significant longer-term developments:
- Embedded devices with hardware implementations of VMs will become more common. The endgame may well be "special purpose" OSes that are built specifically for a particular device. An early example is Palm OS. Since OS kernels typically run with privilege, the idea of privileged code and super-user capability will be transferred to the device itself. This is a potential area for exploit.
- The OS will disappear. The OS will be embraced and encapsulated by the VM. Applications will get their own OS-like services from various components. Micro-soft appears to agree, and it's easy to see why Redmond is serious about .NET. The vision of Sun Microsystems' "network as computer" will come true, which may make it harder to exploit software.
Today's monolithic platforms all share the same vulnerabilities and offer a huge number of potential targets. In the future, attackers will have a tougher time picking targets, as platforms with tailored functions offer a much narrower target than, say, millions of similarly broken NT/2000 boxes.
What's happening now: Component-based software is finally catching on in response to the need for more robust, reliable and secure systems. Businesses are using Enterprise JavaBeans (EJB), CORBA and COM (including its .NET instantiation) to create mission-critical code.
The idea is to create applications as needed with software-based building blocks. The process is analogous to building a highway bridge out of standardized structural components. Components written in frameworks like EJB work naturally in distributed environments; they were created with interobject communication between multiple servers in mind.
A handful of advanced development shops are creating standardized components for special-purpose use. The component model can be extremely helpful when building security-critical software; standard components implementing reasonable security architecture can be integrated seamlessly into a new design.
Security risk: The art of composing components into a coherent system while maintaining security is extremely difficult and poorly understood, making component-based software subject to exploitation. Widely shared -- but broken -- components are a big problem.
The trend: Devices that serve one, and only one, computational purpose are likely to emerge; many such objects currently exist in telecommunications systems. The emergence of network-enabled everyday devices with embedded software opens new avenues for security compromise. The famed "Internet toaster" may become a reality, enabling a bad guy to burn your breakfast as well as your Web server.
Computational capability will turn ordinary objects into "smart objects." Pens and paper will have APIs. Light switches will run code. Software exploitation will reach deeper into our lives than ever.
What's happening now: The introduction of Java in 1995 was heralded with much hubbub about applets and mobile code, but mobile code was ahead of its time. Now, as embedded Internet devices become more common and many disparate systems are networked, mobile code is coming into its own. For example, phones with JVMs are unlikely to be programmed through the phone's buttons. Instead, code will be written elsewhere and loaded into the phone as necessary.
Security risk: Exploits against advanced security models meant to protect against malicious mobile code have been discussed for years. The wide range of technology, from VMs for tiny 8-bit smart card processors to complicated application server VMs supporting systems like J2EE, means that one size does not fit all from a security perspective. Much work remains to determine which security mechanisms are reasonable for resource-constrained devices (including J2ME devices). In the meantime, VMs are ripe for software exploit.
The trend: Adoption of Web services based on mobile code models will continue to be a security headache. Due to the ever-growing pervasiveness of networking, all code will be mobile code. In fact, the term "mobile code" will fall out of use. Language-based security models will take on more importance, and attacks against these kinds of security mechanisms will be seen in the wild.
What's happening now: Component-based software and distributed systems go hand in hand. Components provide logical pieces of functionality that can be put together in interesting ways to make a complete, logically distributed system. This sort of modular design is consistent with the security principle of compartmentalization. At the same time, distributed systems are complicated and hard to get right. The most common distributed systems today are geographically colocated and often make use of a single common processor. Windows OSes, made up of hundreds of components such as DLLs, are a prime example.
Security risk: Complexity is the friend of software exploit. Thus, distributed systems often make the job of exploiting software easier.
The trend: Logically distributed systems, such as Win32, will evolve into geographically distributed systems as special-purpose computational units, such as transaction-clearing engines, come into play. Security issues will increase as distributed systems begin to rely on the network for communications among components. Transport-level encryption will help, but man-in-the-middle and timing attacks will become commonplace.
Since security is only as strong as the weakest link, attackers will seek out the most vulnerable distributed components to compromise an entire system.
What's happening now: PDAs are becoming ubiquitous and, increasingly, feature embedded Internet capability. PalmOne's Treo combines cellphone, PDA and e-mail systems into one highly portable, networked device. These simple, handheld network appliances will be used to carry out many security-critical activities, like checking e-mail, ordering dinner and buying stocks. PDAs are often programmed remotely and make use of mobile code to receive and install new programs.
Security risk: Although PDAs haven't been greatly exploited, their glaring lack of software security make them prime targets for future attacks.
The trend: Programs for PDAs and other embedded systems that respond to where they are running will be common. Cryptographic algorithms that only work at certain GPS coordinates will be widely used. Programs on embedded devices will remind users to do things ("don't forget to pick up milk") and buy things ("designer jeans on sale here") based on physical proximity. WAP phones are leading the way, to a certain extent, with location-sensitive advertising capabilities. Opportunistic attackers will probe your PDA for vulnerabilities as you lean over to pick up your drink from the bar.
What's happening now: Wireless networking is growing significantly, made more secure as 802.11i adoption becomes widespread.
Security risk: Wireless networking has a pervasive, negative impact on security because it breaks down physical barriers. Without wires connecting the network, the physical limits of network segments blur. The first years of wireless deployment were marked by software exploits, the breaking of the WEP encryption algorithm and the reemergence of ARP cache-poisoning attacks.
The trend: Security concerns will grow as more business-critical applications include wireless components. Embedded systems will be connected to the Internet via wireless networks.
What's happening now: The idea of paying for what you actually use is beginning to be applied to software as well as other digital content. This presents obvious security concerns, not the least of which is protecting the service or content from being stolen.
Security risk: Protecting digital content is an unsolved and technically unsolvable problem. Despite the availability of digital rights management solutions, software exploits allow attackers to steal intellectual property with impunity.
The trend: The idea of installing copies of an enterprise-grade application on every machine will begin to make less sense. Instead, software functionality will be delivered -- and charged for -- according to need. The ASP model of software licensing is likely to catch on, spawning a new class of attacks that will steal these software functions.
Computational services may be sold "by the cycle," making computing more like electricity, with cycles available simply by "plugging something in." Eventually, cycles may become as ubiquitous as air, in which case charging for cycles (and for CPUs) will no longer make sense.
Outsourcing computation raises myriad security questions: How can you trust an answer? How can you protect knowledge about the problem you are solving from the host doing the computation? How can you properly delegate resources and charge for use?
There's an upside for security: An attacker will need to determine not only how to attack, but where. Redundancy will be used to make attacks against any particular component difficult. (My stealing your bike won't slow you down because you have 20 more.) The act of finding the "weakest link" to attack will much more difficult.
GARY McGRAW, Ph.D., is CTO of Cigital and coauthor of Exploiting Software (Addison-Wesley, 2004), Building Secure Software (Addison-Wesley, 2001) and five other books.
GREG HOGLUND created and documented the first Windows NT-based rootkit and founded www.rootkit.com. He coauthored Exploiting Software.