Researcher: Operating systems inherently flawed

Summary:The architecture of the most common operating systems is a threat to corporate security, Joanna Rutkowska has warned

Windows, Linux and Mac operating systems are all inherently flawed due to the nature of their architecture, according to a leading security researcher.

Joanna Rutkowska said that inherent operating-system insecurity is a bigger problem than human fallibility. "Some bugs will catch everyone, even if the users are tech savvy," said Rutkowska, the chief executive of Invisible Things Labs. "The technology is as faulty as the human users, but human users can be educated."

The security researcher gave the example of exploits of Windows Vista. Vista security was bypassed in April by the .ani bug, while Vista kernel exploits were revealed at the Black Hat conference in August by Rutkowska.

She said that the weakest link in operating-system security is third-party drivers, because they can contain flaws that are not under the control of the vendor. "You can forbid changes to the registry key but, if you have, say, a buggy Wi-Fi driver, you can bypass the security technology on the operating system," said Rutkowska. "Third-party drivers are easier to attack than those of Microsoft, who have [undertaken] years of research."

The researcher advocated the concept of "microkernelisation", which is a compartmentalisation of drivers and other executable code that would only allow digitally signed code to execute on the kernel. Using the concept, drivers communicate with each other in a distributed system using "special protocols". Rutkowska suggested that microkernelisation should be combined with hardware virtualisation to create more robust architectures.

The researcher added that integrity checking on systems through digital certification and whitelists could solve user difficulties.

Peter Firstbrook, Gartner's research director of secure business enablement, said that Microsoft was "not interested" in microkernelisation due to the massive upheaval it would cause in rewriting code.

Phil Dunkelberger, chief executive officer of security firm PGP, said that to completely re-architecture mainframes and business operating systems would not be practical because the cost would be too great. Dunkelberger said that the largest threat to businesses was not data loss through malware, but data theft by employees.

A Deloitte survey of financial companies, released on Tuesday, also said that humans were the weakest link in terms of corporate security.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.