Researcher: Operating systems inherently flawed

The architecture of the most common operating systems is a threat to corporate security, Joanna Rutkowska has warned
Written by Tom Espiner, Contributor

Windows, Linux and Mac operating systems are all inherently flawed due to the nature of their architecture, according to a leading security researcher.

Joanna Rutkowska said that inherent operating-system insecurity is a bigger problem than human fallibility. "Some bugs will catch everyone, even if the users are tech savvy," said Rutkowska, the chief executive of Invisible Things Labs. "The technology is as faulty as the human users, but human users can be educated."

The security researcher gave the example of exploits of Windows Vista. Vista security was bypassed in April by the .ani bug, while Vista kernel exploits were revealed at the Black Hat conference in August by Rutkowska.

She said that the weakest link in operating-system security is third-party drivers, because they can contain flaws that are not under the control of the vendor. "You can forbid changes to the registry key but, if you have, say, a buggy Wi-Fi driver, you can bypass the security technology on the operating system," said Rutkowska. "Third-party drivers are easier to attack than those of Microsoft, who have [undertaken] years of research."

The researcher advocated the concept of "microkernelisation", which is a compartmentalisation of drivers and other executable code that would only allow digitally signed code to execute on the kernel. Using the concept, drivers communicate with each other in a distributed system using "special protocols". Rutkowska suggested that microkernelisation should be combined with hardware virtualisation to create more robust architectures.

The researcher added that integrity checking on systems through digital certification and whitelists could solve user difficulties.

Peter Firstbrook, Gartner's research director of secure business enablement, said that Microsoft was "not interested" in microkernelisation due to the massive upheaval it would cause in rewriting code.

Phil Dunkelberger, chief executive officer of security firm PGP, said that to completely re-architecture mainframes and business operating systems would not be practical because the cost would be too great. Dunkelberger said that the largest threat to businesses was not data loss through malware, but data theft by employees.

A Deloitte survey of financial companies, released on Tuesday, also said that humans were the weakest link in terms of corporate security.

Editorial standards