pages/blog/simplicity-security.md (view raw)
1---
2template:
3slug: simplicity-security
4title: Simplicity (mostly) guarantees security
5subtitle: This is why I meme mnmlsm so much
6date: 2020-05-07
7---
8
9Although it is a very comfy one, it's not just an aesthetic. Simplicity
10and minimalism, in technology, is great for security too. I say "mostly"
11in the title because human error cannot be discounted, and nothing is
12perfect. However, the simpler your tech stack is, it is inherentely more
13secure than complex monstrosities.
14
15Let's look at systemd, for example. It's got over 1.2 million
16lines of code. "Hurr durr but LoC doesn't mean anything!" Sure ok, but
17can you _imagine_ auditing this? How many times has it even been
18audited? I couldn't find any audit reports. No, the developers are not
19security engineers and a trustworthy audit must be done by
20a third-party. What's scarier, is this thing runs on a huge percentage
21of the world's critical infrastructure and contains privileged core
22subsystems.
23
24"B-but Linux is much bigger!" Indeed, it is, but it has a thousand times
25(if not more) the number of eyes looking at the code, and there have been
26multiple third-party audits. There are hundreds of independent orgs and
27multiple security teams looking at it. That's not the case with
28systemd -- it's probably just RedHat.
29
30Compare this to a bunch of shell scripts. Agreed, writing safe shell can
31be hard and there are a ton of weird edge-cases depending on your shell
32implementation, but the distinction here is _you_ wrote it. Which means,
33you can identify what went wrong -- things are predictable.
34systemd, however, is a large blackbox, and its state at runtime is largely
35unprovable and unpredictable. I am certain even the developers don't
36know.
37
38And this is why I whine about complexity so much. A complex,
39unpredictable system is nothing more than a large attack surface. Drew
40DeVault, head of [sourcehut](https://sourcehut.org) wrote something
41similar (yes that's the link, yes it has a typo).:
42
43https://sourcehut.org/blog/2020-04-20-prioritizing-simplitity/
44
45He manually provisions all
46sourcehut infrastructure, because tools like Salt, Kubernetes etc. are
47just like systemd in our example -- large monstrosities which can get you
48RCE'd. Don't believe me? See
49[this](https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/).
50
51*This was day 3 of the #100DaysToOffload challenge. It came out like
52a systemd-hate post, but really, I couldn't think of a better example.*