Security Is Simple: Only Use Perfect Software

Go Ahead, Make My Day

This blog is about my security work at Microsoft, not my past work in Linux. However, in a recent blog “AppArmor is Dead”, Russ Coker basically called me out by citing both this blog and AppArmor in the same post, so I am going to briefly go off topic and talk about Linux.

Russ says that AppArmor is dead, because of the massive layoff from Novell of AppArmor workers in 2007, and SUSE’s recent decision to add SELinux as an option. He’s right that neither of these events is good for ApArmor, but I think he may be overstating things a little. AppArmor was added as the default security option in Ubuntu and Mandriva Linux, because of user demand for usable security.

In contrast, I suspect that SELinux was added to SUSE Linux because Novell would like to sell more SUSE into US Federal Government accounts, where some of them have mandated SELinux as a requirement. This is actually reasonable, since SELinux is designed for Federal security requirements, and it shows in the usability J

I am no longer involved in the AppArmor project, as I work for Microsoft now, and providing Windows with more usable security is where I put my creative energy. So maybe AppArmor is dying, maybe it isn’t. If AppArmor does die, then in some sense it just makes my job here of enhancing the Windows security value proposition vs. Linux that much easier.

So go ahead, make my day: ignore the popularity of AppArmor in the user community, keep blocking AppArmor from inclusion in Linus’ kernel. If all I have to do is make Windows security easier and more effective to deploy than SELinux, then my job is practically done for me J

Published Tuesday, September 02, 2008 11:16 PM by crispincowan

Comments

 

djcapelis said:

I have a feeling the bar won't remain at SELinux's level for very long.  Usability and security are finally starting to sit down and have a chat.

As for your job being practically done for you.  Never fear about that!  I'm sure you'll manage to figure out some sort of new system to work on. :)

Just me know if you ever venture into the weird weird world of trusted computing.  There's good security features there, they're just hidden behind all the things that have nothing to do with good security and a few things that have to do with the opposite. :-\

~D.J.

September 3, 2008 9:37 AM
Anonymous comments are disabled

About crispincowan

"Reliable software does what it is supposed to. Secure software does what it is supposed to, and nothing else." -- Ivan Arce Thus software security is very simple: only use perfect software :-) There being a supply shortage of perfect software, to secure systems we must do something else to ensure that software does not mis-behave when fed "interesting" input by attackers. At extreme detail, we can specify exactly everything the program may do. This is called "the code" and we already know we can't get that right.. So we must abstract what is allowed and what is not into useful classifications. But if we get these classifications wrong, say "no" to access too often, or at the wrong times, security becomes painful. If we fix that by making security complicated, it is still painful. Which is why most users choose no security and hope for the best. Designing secure solutions that are effective AND easy to live with is what I do. I invented the StackGuard method of compiled buffer overflow protection, now used in both GCC and Microsoft Visual Studio. I designed the Immunix/Novell AppArmor application security system: standard access control security, with revolutionary ease of use. I now work for Microsoft, applying these same principles to the problem of enhancing Windows security.

This Blog

Syndication

© 2008 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker