Wednesday, May 13, 2020

Microsoft's "Immutable" Laws of Security vs Android

In 2011 Microsoft posted an updated copy of their "Ten Immutable Laws of Security".  It's interesting to look at these laws in the context of today's mobile operating systems, in particular the one I know best: Android.  I think many of the "laws" have been at least partially invalidated. Also, I think most of my comments would apply to iOS as well, though maybe not all, and I'll refrain from commenting since I don't know iOS security well.

Here are the laws, and my comments on each:

1. If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Android largely invalidates this law.  Every program (app) you run on an Android device is walled off from every other other app.  It can't access any storage but its own, the Android permission system enables the user to block it from accessing many system services and any app can be completely removed so even if the app does manage to do something bad, you can end its access.

Of course it's always possible that an attacker can find ways to exploit system vulnerabilities from his app and bypass these protections, but that's pretty rare.  Vulnerabilities of those sorts are hard to find and hard to execute on up-to-date Android devices.  It's also possible for apps to abuse legitimate system features, but only in narrow ways, and there are efforts to reduce those.

2. If a bad guy can alter the operating system on your computer, it's not your computer any more.

This is true, and it's why Android implements Verified Boot, using a few different mechanisms to make sure that a bad guy can't alter the operating system on your computer. If the bad guy alters your operating system where it's stored on your device, your device just won't boot.  If the bad guy alters your running, in-memory operating system (which is hard to do), his changes will disappear at the next reboot.

3. If a bad guy has unrestricted physical access to your computer, it's not your computer any more.

This is only somewhat true.  Android moves some important work out of the Android system entirely and into isolated environments that are much tougher to compromise through physical access.  Nothing is perfectly secure against an attacker who has complete control of the hardware, but it can be very, very difficult.  The Android security team puts a great deal of effort into ensuring that an attacker to steals or finds your phone can get basically no data out of it, and even has a very hard time wiping it and using it himself.

4. If you allow a bad guy to run active content in your website, it’s not your website anymore.

I'm less up to date on website security these days, but there are many tools that could be used to mitigate this risk.

5. Weak passwords trump strong security.

This is very context-dependent.  If we're talking about your Android lockscreen, it's arguably not true.  The device hardware imposes exponentially-increasing delays between authentication attempts, making brute force search of password spaces pointless.  Of course, if the attacker has some way to observe you entering your password, or some way to guess what password(s) you might use, that may not matter.

6. A computer is only as secure as the administrator is trustworthy.

On mobile devices, the administrator is the user... and Android does not trust the user to make good security decisions.  There are some 2-3 billion Android users in the world, and there's no way all of them are sufficiently educated and conscientious to make good security decisions.  In fact, hardly any of them are. As a result the system does very much try to protect from administrator untrustworthiness. There are limits to what can be done, of course.  We can't protect users who decide they really want to post all their personal data on Facebook, but we can make it hard for them to inadvertently screw up.

7. Encrypted data is only as secure as its encryption key.

This one is actually something I'm willing to call an "immutable law", but only because the whole purpose of encryption is to turn large secrets (encrypted data) into small secrets (encryption keys).  It's basically a tautology. That doesn't mean it's not worth keeping in mind. Any time anyone says they're protecting data with encryption, the very next question should always be "Where's the key and how is it secured?".

8. An out-of-date antimalware scanner is only marginally better than no scanner at all.

Anti-malware scanners are more of a threat than a help in the Android world. Lots of them want users to root their devices in order to let the scanner break out of the sandbox to "protect" the device... but even the scanners that aren't actively malicious (and there are more than a few of those) are buggier and less secure than Android itself. Android has a built-in scanner which just checks the apps you have installed to see if any of them are known to be harmful. That's always up to date. Everything else is just a bad idea.

9. Absolute anonymity is practically unachievable, online or offline.

This is true.  That said, you can often get pretty close given enough knowledge and effort.

10. Technology is not a panacea.

Also self-evidently true.

My collection is complete(ish)!

I drive an electric car, a Tesla Model S. Generally, I never worry about how or where to charge it. It has a large battery and a long range,...