This paper considers the survivability requirement for production opera ting systems that underlie typical information systems. Since economic incentives give competitive advantages to imperfect and therefore insecure software, it seems inevitable to consider retrofitting some form of security to existing systems. This approach has long been anathema in the security communit y. We outline the pragmatic alternative of retrofitting security to achieve inf ormation survivability. 1 Intro duction: the Survivabili ty Imperativ e This paper makes the case for increasing operating system survivability by retrofitting a form of security to software systems that were not designed to be secure. A reader f rom the security community may consider this statement unorthodox. After examining the alternatives, we conclude that most other possibil ities are even less likely to achieve the goal of widespread deployment of highly survivable inf ormation systems. We consider operating system survivability to be a necessary building block of information survivability. Operati ng system survivability per se is not specific to any particular domain of information proces ing. Rather, it comprises cross-cutting issues that affect all domains of information survivability. If an application’ s host operating systems fails to survive, then the application will also fail to survive. This paper per tains to issues involving the survivabil ty of host operating systems, and by transitivity also the survivability of the information systems t hat run on them. Broadly speaking, the survivability imperative is that the information infrastructure should survive attacks. While attacks can take many forms (including the dread “back hoe” attack :-) we consider only computer security attacks. To achieve high survivability of the information infrastructure, many of the systems in that infrastructure must be able to survive security attacks. How then can host systems survive computer security attacks? The attacks must somehow be prevented from succeeding. Section 2 discusses the approach of using high security systems, which by dint of rigorous engineering, are not vulnerable to security attacks. Section 2 also discusses the costs of high security systems, which have the unfortunate effect of making them not economically viable. Section 3 discusses the alternative: retrofitting existing common systems, which are not secure and thus ar e vulnerable, with a a semblanc e of security such that they can survive attack .
[1]
Robert O. Hastings,et al.
Fast detection of memory leaks and access errors
,
1991
.
[2]
Wietse Z. Venema,et al.
TCP Wrapper: Network Monitoring, Access Control, and Booby Traps
,
1992,
USENIX Summer.
[3]
David H. Ackley,et al.
Building diverse computer systems
,
1997,
Proceedings. The Sixth Workshop on Hot Topics in Operating Systems (Cat. No.97TB100133).
[4]
Calton Pu,et al.
Death, taxes, and imperfect software: surviving the inevitable
,
1998,
NSPW '98.
[5]
Crispan Cowan,et al.
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
,
1998,
USENIX Security Symposium.
[6]
Calton Pu,et al.
Protecting Systems from Stack Smashing Attacks with StackGuard
,
1999
.