Separating Functions makes Desktops Safer
Columnist Ken van Wyk says operating systems would be safer places if we did a better job separating the functions of software installation and software execution.
It used to be we only had to worry about the bad guys putting bad stuff on our computers. Now, we also need to worry about the good guys. Yes, I know spyware has been around for some time now, but this case strikes me as a particularly egregious example of good guys trying to do bad things.
In fairness, I should point out that the Sony BMG software in question doesn't appear to be the same situation as a traditional rootkit per se -- if there is such a thing as a traditional rootkit. For starters, it doesn't appear to be the case that the software was planted maliciously. There's no shortage of bad judgment, arrogance, and so on, but malice still would be a stretch.
That said, it sure did have many of the same characteristics as the rootkits that we've seen attackers use for more than a decade against our computers -- it hid its presence, was difficult to remove, and such. But that's not what I'm here to talk about.
Any guesses as to what this pernicious flaw is?
Consider this: On your desktop, are you able to run software, as well as install it, all from your normal user account? It is painfully common to find desktop user accounts with system-level privileges. That's in direct conflict with one of Salzer and Schroeder's classic principles: least privilege.
Sure, it's easier to give users the ability to install software on their own systems. The conventional wisdom in many IT shops is that it results in fewer help desk calls from users who demand the ability to install software. Although this may well be the case (but I'm inclined to disagree), the problem that we saw with the Sony BMG copy protection software is that the CDs in question were able to install their copy protection software when the user inserted a CD containing the code. Had that software installation failed due to insufficient privileges, the rootkit would never have been installed. Oh, and the audio CD would likely not have been played. (No good deed... )
Having general purpose desktop accounts that can run and install software is an inherently dangerous practice that will inevitably lead to re-installing your operating system when something really nasty happens. Its sheer madness, if you ask me.
I'm not advocating environments where only the IT shop can install software, although I've seen that work quite effectively more than once. What I'm saying is that we would be well served to learn from the historical mainframe operating systems and consider separating the functions of software installation and software execution.
As in most mainframe operating systems, we'd have an administrative account for software installations and lock down user accounts so they can only run software. And, unlike most mainframe environments, it would even be OK, at least in many cases, for the users to have access to both worlds.
I know what you're probably saying: Your desktop OS does exactly that by way of an administrator account and regular user accounts.
As I said earlier, the underlying operating systems, by and large, have the ability to do this right out of the box, but it's common to find that dangerously circumvented on desktop and laptop systems. In the desktop OS installations I've done during the past year or so, I've found the installation process generally drove me to give the desktop user the privileges needed to install software.
I've also found that this dual account model doesn't always work well with all software, but that's another issue.
Don't get me wrong... I'm not saying a simple mechanism like this will solve all of our security problems, but it will sure help with some of them. When done well, this mechanism includes good old file access controls that would prevent users (and the little nasties that follow them home through their browsers, emails, instant messages, etc.) from affecting the installed software base, from the OS through the legitimately installed applications.
Bye bye, Sony BMG rootkit and the like.
And of course, the success of a plan like this would rest on the software installation practices themselves. That is, preventing malware from getting into the system while the user is running software would only be effective if the software gets installed carefully, following sound practices. I'm not unrealistic about what it would take to accomplish this. It's going to be tough to get the whipped cream back into the can, as it were.
Even with these caveats in mind, I'm still convinced our desktop operating systems would be safer places if we did a much better job at separating the functions of software installation and software execution.