-
The most widely deployed mobile virtualization solution
Data Sheets
Open Kernel Labs Blog
August 31, 2008
Security by Obscurity - Alive and Well at the Competition
The FAQ of a competitor (who uses "secure" in every other sentence) has been a source of amusement before. It provides another gem, also in the section that discusses the security of their product:
"... hypervisor is small, and written in assembly language. [...] As an assembly coded product it is also much more difficult for hackers to decipher than C-coded products."
Isn't it hillarious?
Note that they don't publish their source code, so the hacker presumably only has access to the binary code. The only relevant difference between binary code produced by a C compiler, and that produced by an assembler from hand-written assembly code, is that the latter tends to be much less structured. So I'm not really sure what they want to tell us there, but the only way I can interpret it is that there is an implication that spaghetti assembler is more secure than C code. Whoa!
This is a classical "security by obscurity" argument if I've ever seen one. And, of course, security by obscurity is a violation of the time-honoured Kerckhoffs' law, which states that a system should be designed to be secure if everything is known about it except the actual encryption keys.
Given their apparent belief in security by obscurity, it makes complete sense that this competitor is hiding even their "technical overview" and "architecture documentation and user manuals" behind NDAs. OK Labs, on the other hand, publishes all docs and the source code. Whom would you trust?
Anyone who believes in security by obscurity clearly doesn't believe that their system is secure. Obscurity may sometimes provide an appearance of security, but no actual security.
Obscurity is a poor substitute for security!
Posted by Gernot Heiser on August 31 at 07:24 PM
blog comments powered by Disqus
About Gernot Heiser:
Gernot Heiser, Co-founder and Consulting Scientist, never thought he would be in the business world. Prior to NICTA's creation in 2003, Dr Heiser was a full-time faculty member at the University of New South Wales. However, this die-hard academic couldn’t pass up the opportunity to see the commercialization of this research. Gernot still loves teaching, almost as much as he loves good wine and good food. And anyone will tell you that Gernot knows his wine.