3.8. Avoidance of Security Vulnerabilities

Subtle differences in the types of malicious code are relatively unimportant, and often counterproductive. Rather than try to make fine distinctions, we must attempt to defend against all the malicious-code types systematically, within a common approach that is capable of addressing the underlying problems. The techniques for an integrated approach to combatting malicious code necessarily cover the entire spectrum, except possibly for certain vulnerabilities that can be ruled out completely—for example, because of constraints in the operating environment, such as if all system access is via hard-wired lines to physically controlled terminals. Thus, multipurpose defenses are more effective in the long term than are defenses aimed at only particular attacks. Besides, the attack methods tend to shift with the defenses. For these reasons, it is not surprising that the defensive techniques in the system-evaluation criteria are, for the most part, all helpful in combatting malicious code and trapdoor attacks, or that the set of techniques necessary for preventing malicious code is closely related to the techniques necessary for avoiding trapdoors. The weak-link nature of the security problem suggests a close coupling between the two types of attack.

Malicious-code attacks such as Trojan horses and viruses are not covered adequately by the existing system-evaluation criteria. The existence of malicious code would typically not show up in a system design, except possibly for accidental Trojan horses (an exceedingly rare breed). Trojan horses remain a problem even in the most advanced systems.

There are differences among the different types of malicious-code problems, but it is the similarities and the overlaps that are most important. Any successful defense must recognize both the differences and the similarities, and must accommodate both. In addition, as noted in Chapter 4, the similarities between security and reliability are such that it is essential to consider both together—while handling them separately where that is convenient. That approach is considered further in Chapter 7, where the role of software engineering is discussed (in Section 7.8).

To avoid such vulnerabilities, and eventually to reduce the security risks, we need better security in operating systems (for mainframes, workstations, and personal computers), database management systems, and application systems, plus better informed system administrators and users. Techniques for improving system security are also discussed in Chapter 7.