ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

Researcher: Operating systems inherently flawed

Tom Espiner ZDNet.co.uk

Published: 18 Sep 2007 11:20 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Windows, Linux and Mac operating systems are all inherently flawed due to the nature of their architecture, according to a leading security researcher.

Joanna Rutkowska said that inherent operating-system insecurity is a bigger problem than human fallibility. "Some bugs will catch everyone, even if the users are tech savvy," said Rutkowska, the chief executive of Invisible Things Labs. "The technology is as faulty as the human users, but human users can be educated."

The security researcher gave the example of exploits of Windows Vista. Vista security was bypassed in April by the .ani bug, while Vista kernel exploits were revealed at the Black Hat conference in August by Rutkowska.

She said that the weakest link in operating-system security is third-party drivers, because they can contain flaws that are not under the control of the vendor. "You can forbid changes to the registry key but, if you have, say, a buggy Wi-Fi driver, you can bypass the security technology on the operating system," said Rutkowska. "Third-party drivers are easier to attack than those of Microsoft, who have [undertaken] years of research."

The researcher advocated the concept of "microkernelisation", which is a compartmentalisation of drivers and other executable code that would only allow digitally signed code to execute on the kernel. Using the concept, drivers communicate with each other in a distributed system using "special protocols". Rutkowska suggested that microkernelisation should be combined with hardware virtualisation to create more robust architectures.

Read this

Feature
Feature: Locating the real threats to corporate security

With organised criminals seizing the opportunities of cybercrime, how accurate is the established belief that company insiders are the biggest threat to IT security?

Read more +

The researcher added that integrity checking on systems through digital certification and whitelists could solve user difficulties.

Peter Firstbrook, Gartner's research director of secure business enablement, said that Microsoft was "not interested" in microkernelisation due to the massive upheaval it would cause in rewriting code.

Phil Dunkelberger, chief executive officer of security firm PGP, said that to completely re-architecture mainframes and business operating systems would not be practical because the cost would be too great. Dunkelberger said that the largest threat to businesses was not data loss through malware, but data theft by employees.

A Deloitte survey of financial companies, released on Tuesday, also said that humans were the weakest link in terms of corporate security.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
7 out of 7 people found this useful


Talkback

Post a comment


Full Talkback thread

3 comments

  1. It helps to have the drivers' source code availabl... Chris Rankin
  2. Can't agree. pround
  3. Yes - they are - but they need not have been 1000044325

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:









Related Jobs

Major Investment Bank seeks Quantitative Researcher

My client, one of the worlds leading Investment Banks, are seeking an exceptional candidate to provide quantitative research for their global ...

Human Resources Consultant

The history of my client goes back nearly 200 years and has been accredited numerous awards. They operate in the Financial Services sector and have ...

Computer Vision PhD Algorithm Researcher - Oxford

Senior Computer Vision Scientist wanted for an advanced imaging company. My client is looking for a 1st class postgraduate with a top academic career ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Google sponsors open source security p...

Google has announced it is to sponsor oCERT, an open source computer emergency response team. In a blog post on Monday, Google security engineer Will Drewry said that one of the... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation