asimovs laws for security

For any computer security to work effectively, you need to be able to
trust your computer to put your interests above those of anyone
else. If your cleaning lady can access any data on it while you are
absent, it fails basic security.

If you browse the web and it falls victim to a drive-by download and
installs spyware, you’re hosed as well.

If your computer detects that you do something that would jeopardize
the security and privacy of your data on it, your computer should
prevent you from doing it. If you really insist, of course it must
comply.

It’s like Asimovs’ Law of Robotics but for security systems:

  1. Your computer obeys you, and only you;
  2. Your computer protects you from any harm to your data on it;
  3. Your computer destroys all the data on it when it cannot fulfill
    the requirements for rule 1 and 2.

On 1. Your computer obeys you, and only you.

We take this for granted but it is far from reality. In fact, you may
not even be the real boss. If you have an iPhone, you live in the
‘gilded cage’ that Apple has set up for you. They decide what you can
do with your phone. If you have an Amazon Kindle, they may revoke your
license to any ‘books’ you have ‘bought’ and remotely (from their
offices) delete those ‘books’ from your device. Search for ‘Amazon
deletes 1984’.

On 2. Your computer protects you from any harm to your data on it;

Whatever you do with your computer, which website you visit, or what
games and screen savers you might download, these cannot touch your
data, at all.

Each app gets run from a sandbox that prevents it from accessing any
data you have. The app doesn’t get access to the file system, let
alone any hardware, such as the modem to dial numbers or the GPS. It
doesn’t even get access to the website where it was downloaded from.

It cannot list a single phone number on your phone.

If the app needs anything, it can ask your computer for it. If the app
is a screen saver, you tell your computer that it is a screen
saver. Your computer knows it can start it after some idle
period. Your computer gives it a screen buffer to fill and some
cpu-time to do the work and your computer displays the screen buffer
on behalf of the screen saver. This will continue until you press a
button. The screen saver app will be killed and that’s it.

If the screen saver ever tries to access the phone book, your computer
will abort the screen saver with a message to you stating that it
discovered the screen saver in the cookie jar. (Rule 2).

You can start the screen saver again and again (rule 1) but that app
will never get to your phone book. (Rule 2). Of course you have the
option to give your phone book to the screen saver app (Rule 1) but
the consequences are yours, especially if the screen saver then asks
for internet access to CIA.gov or facebook.com.

A screen saver is very simple. It just needs a display buffer and some
cpu-time. It’s a good example to show the rules. Now we exand to a
more complicated app. A photo manipulation app.

A photo manipulation app

Once we’ve learned the basic security requirements for a screen saver
we can make it more complicated. We download an instagram-like-app.

It allows to manipulate an image, either from the phone’s memory or
taken fresh from the camera. When we are finished with our
editing we send it along to someone or some site.

If you want to take a picture to edit, you press the
take-picture on the app. It ask your computer to take a picture and
deliver it to the app. Your computer starts the camera-software, tells
you that the instagram-app asked for it and lets you take a picture
that it delevers to the app. At any time you can abort this operation
(Rule 1). And you are sure that the instagram app only gets the
picture just taken. (Rule 2).

If you wish to edit a previously taken picture, press the button for
that in in the app, it will ask your operating system for the
pictures. Your operating system will ask you for some pictures for the
app and delivers only the one(s) you’ve selected to the app. (Rule
1). The app doesn’t even know there might be more photos. It only
knows what you give it. This is called a powerbox in Capability design.

To manipulate the picture, the app needs: the picture, screen space to
show you the results, read user input to know what photo manipulations
you want to do. It also needs some storage space to stow the
intermediate and final results. Your computer provides it with
that. (Rule 1).

The storage space is dedicated to the app. Only this app can reach
this storage space and only as long as the app runs. Whenever the app
finishes the storage space is given back to you. And you can select it
next time you run the app. Or you delete it. (Rule 1).

When you are satisfied with the results of your photo-editing it is
time to send the image along. You press the publish-button in the
app. The app asks your computer to publish the image for it. Your
computer asks you where you want to have it published and does so. It
can also ask you to remember these details to automatically publish
any updates you make to the picture at any later date. (Rule 1).
Notice, the instagram app never gets to know to whom you’ve sent the
picture.

On 3. Your computer destroys all the data on it when it cannot fulfill
the requirements for rule 1 and 2.

If you ever lose the computer (laptop/tablet/phone) in the train. It
will be found by someone. If it is found by the train employees you
can pick it up at the depot, for a small fee.

If someone else takes it and who hasn’t the intent to call your
telephone number you’ve attached to the back. It still obeys rules 1
and 2. It only obeys you and it protects your data. The ‘thief’ won’t
get to control it. Remember the screensaver, your computer requires
your password/pincode and perhaps your image in front of the camera
before it allows access to the content.

As you have synchronised the device with your other devices, these
other ones already have all your latest photo edits. When you discover
the loss of your device, you order it to destroy all data on it. As
soon as the thief lets the device connect to the internet, your device
wipes all the data on it ceases all operation. It really makes the
theft usesless as all the thief has is a dead device. Only you can
revive the thing from the group of other devices it belonged to.

That’s what I call secure computing.