pages/txt/simplicity-security.txt (view raw)
1---
2date: '2020-05-07'
3subtitle: This is why I meme mnmlsm so much
4title: Simplicity (mostly) guarantees security
5url: 'simplicity-security'
6---
7
8Although it is a very comfy one, it's not just an aesthetic. Simplicity
9and minimalism, in technology, is great for security too. I say "mostly"
10in the title because human error cannot be discounted, and nothing is
11perfect. However, the simpler your tech stack is, it is inherentely more
12secure than complex monstrosities.
13
14Let's look at systemd, for example. It's got over 1.2 million lines of
15code. "Hurr durr but LoC doesn't mean anything!" Sure ok, but can you
16*imagine* auditing this? How many times has it even been audited? I
17couldn't find any audit reports. No, the developers are not security
18engineers and a trustworthy audit must be done by a third-party. What's
19scarier, is this thing runs on a huge percentage of the world's critical
20infrastructure and contains privileged core subsystems.
21
22"B-but Linux is much bigger!" Indeed, it is, but it has a thousand times
23(if not more) the number of eyes looking at the code, and there have
24been multiple third-party audits. There are hundreds of independent orgs
25and multiple security teams looking at it. That's not the case with
26systemd---it's probably just RedHat.
27
28Compare this to a bunch of shell scripts. Agreed, writing safe shell can
29be hard and there are a ton of weird edge-cases depending on your shell
30implementation, but the distinction here is *you* wrote it. Which means,
31you can identify what went wrong---things are predictable. systemd,
32however, is a large blackbox, and its state at runtime is largely
33unprovable and unpredictable. I am certain even the developers don't
34know.
35
36And this is why I whine about complexity so much. A complex,
37unpredictable system is nothing more than a large attack surface. Drew
38DeVault, head of [sourcehut](https://sourcehut.org) wrote something
39similar (yes that's the link, yes it has a typo).:
40
41https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
42
43He manually provisions all sourcehut infrastructure, because tools like
44Salt, Kubernetes etc. are just like systemd in our example---large
45monstrosities which can get you RCE'd. Don't believe me? See
46[this](https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/).
47
48*This was day 3 of the \#100DaysToOffload challenge. It came out like a
49systemd-hate post, but really, I couldn't think of a better example.*