2 More Things In History That Could Have Improved Infosec & Privacy

Late last week I blogged about a question I got while at InfoTec in Omaha last week, “2 Things In Computing History That Could Have Improved Information Security and Privacy“…

After I blogged I got a response from Luke, who asked me this question, and he described quite eloquently what he believes were the two things he would have changed to improve information security and privacy.
Here is his thoughtful, and very informative, answer:

I, as well, have been thinking about the same question and to date I have come up with at least two things that I would have changed.
According to H. Norton Riley, the author of the paper “The von Neumann Architecture of Computer Systems”, one of von Neumann’s key parts of a general purpose computing device was that “…instructions should be as changeable as the numbers they acted upon.” von Neumann also stated that both data and instructions could be stored in the same memory space as long as the two could be distinguished from one another. Many of today’s computers use the first key part of von
Neumann’s architecture, storing data and instructions in the same place but they forget to implement the second part, the ability to distinguish them.
So the first thing I would change would be how von Neumann’s computer architecture is implemented. With many of today’s computers data and instructions are stored in the same memory space, however; they are lacking the ability to distinguish data from instructions. It is a direct result of the inability to distinguish instructions from data that leads to such vulnerabilities as buffer overflows and SQL and Code (e.g. PHP) injections. If believe if we have the ability to distinguish between data and instructions we would eliminate an entire class of vulnerabilities.
The second thing I would would change would be the fact that we forgot that we, at one point in time, knew how to do computer security and do it well. There are several foundational papers that do a pretty good job at defining the problem, and discussing solutions to the problems. The first of these papers is the “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security” published 11 February 1970. This report is also commonly referred to as the “Ware Report”. This report has a good discussion on the security issues faced at the time. The surprising thing is that we are still facing most of the same issues, but in a slightly different context.
The second paper is the “Computer Security Technology Planning Study” by James P. Anderson, October 1972. This study discusses a research agenda that would have solved the majority of the problems stated in the Ware Report. The biggest point to come from this paper was the idea of a reference monitor. Basically the reference monitor protection mechanism that would check every access to a data object. If the calling object didn’t have authorization to access the data, the reference monitor would denies access.
The final paper, “The Protection of Information in Computer Systems” by Jerome H. Saltzer and Michael D. Schroeder, October 11, 1974. This paper defines eight design principles that every system should follow. They are economy of mechanism, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, least common mechanism, and psychological acceptability. The paper also states that these principles are not the end all be all rules, but if one is violated it introduces the possibility of a vulnerability.

What 2 things in computing history do you think would have changed information security and privacy for the better?

Tags: , , , , , , , , , ,

Leave a Reply