Attack Surface

This word has always troubled me with it’s meaning. I have struggled to understand what it meant in real terms. In computer security, it means the lines of code that the attacker can read to find a mistake. It is the trusted (not trustworthy) code that should be minimized to stay secure.

Most people who are concerned about computer security today use linux-kernels which has about 27.8 million lines of code. Yes, that’s right. 27,800,000 lines. And that’s just the kernel! If we consider an Operating System like Qubes OS, which trusts Xen hypervisor and not Linux kernel, which has about 0.15 million lines of code. That’s still 150,000 lines. Tons and tons of bugs should exist in them.

If we still move to an OS which is reasonably easy to install like FreeBSD, it has about 9 million lines of code. OpenBSD contains about 3 million lines of code. BSDs still have way lower attack surface than linux which shows how much better their quality is but they too have some bugs.

Let us pull back. In such gigantic amounts of C code, how can an average person like me or you verify that some thing or data is secure. [Say I send hello to you on cli based tox client, how do I know for sure that only me and you can read this hello and no one else can.].

Here is how the solution may look like:

  1. Choose hardware which supports 100% free software. (Since you cannot trust binary blobs).
  2. Choose an OS which has a small kernel and other minimal software that you need. (Qubes is the only one I can see here today)
  3. Do not trust the developer of that OS. Read the code and verify that there are no bugs.
  4. How do I know that the binary made has no tampering and the code which I read has been compiled.(Now comes the worst part.)

  5. Choose a small compiler. It typically should be a C compiler because Oses are written in C. (I know none which is small.)
  6. Read the code and verify there are no bugs.
  7. Choose a small communication software (preferably written in C as you would have to read code of another compiler if it were written in different language).
  8. Read code and verify there are no bugs.
  9. Encrypt with a good encryption scheme and send the message not trusting the sender.

Above 8 steps are still the easy part when you compare it to convincing the person on the other end to follow a similar method. If you cannot convince the person on other end, your message will be leaked through that end.

How can defensive security even work in such scenario?! If I am a powerful person in a country like a Supreme Court Judge or Prime Minister, I would certainly need secure communication but how could I implement it?!

It troubles me that such a thing is too difficult in today’s world where everyone trusts mobiles and computers with the most sensitive of their secrets.

Joanna Rutkowska, founder of Qubes OS has a status on one of her public pages that “We do not trust computer systems.” which is such a harsh reality.

Can we really trust computers, ever! With today’s code bases of millions of lines in gcc and linux and kde and many more, I say fuck no! (Obviously we won’t talk about blobs here)

There are a few characteristics which I think a software must have to be secure:

  1. Small compilation toolchain.
  2. Small software size.
  3. Free (as in Freedom) Software
  4. Open Source Hardware.

1st one is very difficult in my view but maybe 1 day, it will be available everywhere. Till then, do not trust computers!

Sagar Acharya [11th March 2021]