Don't just listen to me, listen to Bruce Schneier. Who's Bruce Schneier, you
ask? Mr. Schneier is the author of Applied Cryptography, a book that
is widely considered the Bible of computer cryptography, one of the underlying
foundations of computer security. He also authored Secrets & Lies:
Digital Security in a Networked World. Being a highly regarded author of
a book that is considered a Bible makes one God.
... and on the 8th day, in Secrets & Lies, in Chapter 8, "God"
talks about operating systems and their relationship/role in helping to make
computers secure. Primarily, he discusses the kernel as the trusted computing
base on top of which everything else in the OS and applications are built.
He points out how crucial a role the kernel plays when he writes:
The historical example that got this the most nearly correct is an operating
system called Multics, developed in the late 1960s by MIT, Bell Labs, and
Honeywell. ... Multics worked, although the security was way too cumbersome.
By now, almost everyone has forgotten Multics and the lessons learned from
that project.
One of the lessons people have forgotten is that the kernel needs to be
simple. (Even the Multics kernel, with only 56,000 lines of code, was felt to
be too complex.) ... The simpler the software is, the fewer bugs it will
have.
Unfortunately, modern operating systems are infected with a disease known as
"kernel bloat." This means that a lot of code is inside the kernel instead of
outside. When UNIX was first written, it made a point of pushing nonessential
code outside the kernel. Since then, everyone has forgotten this lesson. All
current flavors of UNIX have some degree of kernel bloat: more commands inside
the kernel, inexplicable utilities running with root permissions, and so
forth.
Windows NT is much worse. [This] operating system is an example of completely
ignoring security lessons from history. Things that are in the kernel are
defined as secure, so smart engineering says to make the kernel as small as
possible, and make sure everything in it is secure. Windows seems to take the
position that since things in the kernel are defined as secure, then you
should put everything in the kernel. When they can't figure out how to do
something, they just put it into the kernel and define it as secure.
Obviously, this doesn't work in the long run.
In Windows, the printer drivers are part of the kernel. Users download
printer drivers all the time and install them, probably not realizing that a
rogue (or faulty) printer driver can completely compromise the security of
their systems. It would be a lot smarter to put the printer driver outside
the kernel, so it wouldn't have to be trusted, but it would also be harder.
And the Windows NT philosophy always chooses ease -- both ease of use and ease
of development -- over security.
Windows 2000 is worse yet.
