How viable is it to create an operating system that is sufficiently bug-free and hardened enough to withstand even the most daunting of government adversaries?
I think you'd also need to build hardware for that end, given e.g. Intel's Management Engine operating at Ring -3, and having a whole string of known exploits.
Protecting against these vulnerabilities involves a lot more than just the OS. On this topic, see this incredible multi-step exploit from Google's Project Zero team, which goes from exploiting the Wi-Fi firmware to eventually gaining read-write access to the entire memory: https://googleprojectzero.blogspot.com/2017/10/over-air-vol-...
> During our research, we explored several components, including Broadcom’s Wi-Fi firmware, the DART IOMMU, and Apple’s Wi-Fi drivers […] We’ve also seen how the iPhone utilises hardware security mechanisms, such as DART, in order to provide isolation between the host and potentially malicious components.
Companies like NSO Group are certainly capable of developing exploits of this complexity, as Google's team has shown. Their analysis of NSO's FORCEDENTRY exploit showed NSO building a mini-VM from scratch within a little-known image codec used by the iMessage PDF engine: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
It is extremely difficult to defend against teams that have this amount of skill and dedication.
Reading Pegasus[0] was terrifying, and yet that second exploit link is so exciting and awe inspiring I fluctuate between admiration and terror. IIRC governments like the Saudi's offered Ronaldo levels of money to some of NSO's engineers. Extremely difficult to defend against them indeed...
Very happy that book on NSO has made the waves it has in my political circles. Everyone needs to be aware of the security/safety climate journalists, and anyone who wants to challenge governments/capital in any meaningful way are facing.
Any more links like those? Fantastic stuff. Should I just be reading Google Project Zero's blog? I've recently found offensiveCon thanks to hackernews.
Time and money. These groups are funded 8 hours a day, 40 hours a week, per person, to dig into your code and find problems to exploit. Unless your place of work has an even bigger security team, you have no chance.
You can just start with one of the existing ones that have been validated such as GEMSOS [1] which is offered by AESEC [2] which was certified to TCSEC Class A1 by the NSA according to the Orange Book standard or Integrity-178B which is offered by Green Hills Software which was validated against the SKPP of the Common Criteria [3] (the Common Criteria being the current preferred security standard framework used by most countries and validated against by basically every company).
Being certified against the SKPP required a multi-month NSA penetration test with full source code and design specifications to discover zero deficiencies [4] so qualifies against the standard you are proposing. The certification was done at the behest of the DoD for the F-22 and the F-35, so you can be reasonably certain it was not a false certification by the NSA to make sure the premier fighter jets of the US are vulnerable.
You can also look at some of the other certified systems linked here [5] though I am not sure which of them are still commercially viable or even functional on modern hardware.
If you just want to run a minimal web server and ssh on typical server hardware? Probably doable today.
If you want enough infrastructure to, say, run a browser on one of thousands of undocumented processor models built by some company you've never heard of? Not gonna happen.
Hard. Look at the work that went into SELinux. And that is not perfect. There are provably correct programs, but designing software that way will take a lot more time, and a lot more money. The problem here is not technical, we could do it. The problem is that time to market and money are higher priority than security and user privacy for most companies.
Educating and motivating users to use the features of such an OS in order to maximize its security (e.g., capability bits)?
So much harder. This is, in my opinion, the more insurmountable problem. Most users have no idea what a window manager is, much less how to change their window manager. Security requires someone to set the capabilities allowed based on what's needed, with fine grained security controls. That takes more time and effort. How many of you have deny all on site permissions in your browser, and only enable the ones you need for the sites you need them for? And we are the technical audience.
It is literally impossible with today's software engineering tools. If you want real computer security, we need to rebuild the industry from the ground up with correctness and proofs from step 1. That looks like formal analysis tools and then engineering tools built upon them. This research area has largely stagnated since the 80s & early 90s since no one actually cares about correctness because it is expensive. Without correctness guarantees, you cannot have computer security, full stop. All we have are band-aids on top of the gaping wounds upon which our entire industry was built.
So step one of your new OS engineering process is to build a whole new software engineering paradigm, and all of the engineering tools to go with it, from the ground up, based only on research from like a dozen people that mostly ended around 1990.
The move to remove one ring level in intel chips was touted as to decrease complexity of the CPU chip and OS start times. That is not the only reason, there is a security reason as well.
Security is about making it hard on all surfaces to attack if feasible. If an OS hardens kernel to attack, then the attack moves to userland. See how virus and other attacks on BSD kernels work.
So the correct question is in the systems realm, can we come together to hardened both the Kernel and Userland equally?
It would really need to go further than that. Supply chain attacks at the hardware level are very difficult to spot, especially at scale. This is an eye opening talk in the subject:
> How viable is it to create an operating system that is sufficiently bug-free and hardened enough to withstand even the most daunting of government adversaries?
There already exists some very secure operating systems, however that only solves the software part of the equation. Systems need hardware to run, and they come with firmware. Often the firmware itself is compromised, such as the firmware coming with most CPU’s, for example Intel Management Engine[^1], and the AMD Platform Security Processor[^2].
