You just can't secure something like Windows, Linux, MacOS, because it's faulty by design. Any business that claims to be able to do so is selling snake oil.
Capability based operating systems can be made secure. Data diodes are a proven strategy to allow remote monitoring without the possibility of ingress of control. Between those two tools, you have a chance of useable and secure computing in the modern age, even against advanced threats.
Yeah... I feel like Cassandra, but here we are. You've been warned, yet again.
This is one of those situations, like with cryptocurrencies or social media, where the old thing had certain problems for pretty fundamental reasons, and the new thing claims it won't have the same problems, but that's just because the new thing is new and hasn't gotten to the point of the problems being discovered yet.
If an operating system can run any program you want, then it can run malware if you want. Windows, Linux and Mac OS are OSes that let you run any program you want. Android and iOS are OSes that restrict which programs you can run. Different techniques end up placing the boundary in different places but they still either limit you from running lots of nonmalware programs or they allow you to run lots of malware.
Operating systems already completely sandbox processes. Then they poke a ton of holes in the airtight hatchway because holes are useful. Suddenly it's not airtight, but at least it's useful. Then someone make a new OS with a holeless airtight hatchway. In time, it too will discover which holes it needs, and won't be airtight.
Something similar happens with data diodes. A reply mentions punching holes in a data diode by allowing certain limited two-way communication. Fine, but then it's not a data diode. And someone will suggest putting a data diode on one side of your not-data-diode to make it airtight again. And you'll have the problems of a data diode again.
I tend to agree though the conventional response I'd guess also has merit: "secure" isn't binary and various mitigations deployed on non-capability-based operating systems change the economics of attack/defense and are valuable.
But the main reason I'm responding is to thank for the TIL about data diodes https://en.wikipedia.org/wiki/Unidirectional_network which seem under-discussed and under-utilized. Only a handful of discussions on HN, most substantial (only 19 comments) from 10 years ago https://news.ycombinator.com/item?id=10213836 if I understand correctly, only used in very high security environments, but plausibly could be used in many applications that don't really need to be connected for input but could just broadcast or vice versa (many IoT devices). Thank you, thought provoking!
I agree about data diodes, but how do you handle data egress? One solution is to have strict data checks on egress, but leaks are still possible.
Data diodes also still suffer from the ability to inject malware that can execute DOS attacks.
I agree about capability-based security, but strictly speaking, the capabilities of current OS are just primitive, i.e. checking file permissions. What capability checks do you mean?
My understanding is that the biggest threat is not capability checking, but capability escalation, i.e. bypassing checks, and hardware hacking, e.g. spectre/meltdown-type attacks that can read arbitrary memory.
There is a step up from diodes called [inspecting] data guards and an adjacent technology called content disarm and reconstruct (CDR) that doesn't rely on signatures or heuristics - it just assumes every document is malicious.
Combining these 3 technologies with certain policies, e.g. 2 man rule, the hw/sw itself developed on airgap you can make it practically impossible to attack, even for nation state adversaries.
Edit to point out that these all work in 2-way configurations as well.
What OSes are you proposing though? You're positing a problem and warning people, but what are the alternative operating systems that implement these data diodes?
Google’s in development (contrary to what people on here will tell you) new operating system Fuchsia actually has what seems to be a genuinely defendable architecture.
hmm but this is not really about it, it is more about how companies can be protected. It talks e.g. about shadow IT workers trying to infiltrate into the company.
Capability based operating systems can be made secure. Data diodes are a proven strategy to allow remote monitoring without the possibility of ingress of control. Between those two tools, you have a chance of useable and secure computing in the modern age, even against advanced threats.
Yeah... I feel like Cassandra, but here we are. You've been warned, yet again.