Solving The End User Problem

Tuesday, July 19, 2011

Kevin McAleavey


Note: This is the last of a multipart series on the history of the antivirus and security industry by a long time insider (Part One)(Part Two)(Part Three)(Part 4)(Part 5). So far we've explored how antivirus and antimalware technology works, and why a 1980's solution is no longer applicable to the current threat landscape. In this final article, will conclude with solutions and recommendations on where we might all go next as well as a word from our sponsor.

And no, remote electrocution or explosives are not an option.

In my previous five articles, we've explored how client security has gone horribly wrong at the hands of bad designs, poor choices, and the cover of marketing.

In order to provide too many conveniences for the end user, we've literally removed the doors, windows, burglar alarms and the police in the face of a changing threatscape.

While things may seem desperate, there are solutions that have helped, but still don't solve the problem. I've given up on Windows as the vehicle that will get us there though, at least until the day that RFC 3514 is finally implemented. (grin)

First off, I'd like to commend Microsoft for FINALLY taking security a bit more seriously than in the past. They're finally fixing some very bad practices, particularly in insecure code which permits buffer overflows and mitigating some other built-in exploits.

Their "Microsoft Security Essentials" (MSE) is off to a good start although it has started to falter lately with the same problems that plague all antivirus solutions - namely too much malware and not enough resources to keep up with it all.

But still, a step in the right direction. In addition, they've tightened permissions and access controls which makes it more difficult for malware to gain a foothold in their latest versions. Separating out system functions into a separate "desktop" from the one the end user lives in also helps.

They need to be encouraged to continue unwinding their "integration" and some day, Windows might be more secure. Particularly if they fix the major issues mentioned in my previous article about "Best Windows Ever".

One of the more useful tools for Windows clients was a product from Microsoft called "Steady State." It allowed a system to be "snapshotted" and in the event of malware intrusion, a reboot would restore the client to its previous snapshot.

But like most good ideas, Microsoft discontinued it this past June, and never did manage to come up with a working 64 bit version of it. If anyone had the wherewithal to do this right though, it would have been Microsoft.

Fortunately, a similar replacement is available from a company called "Returnil" called "System Safe", and there's also "Deep Freeze" and "Time freeze" which offer similar capabilities. The concept of having an image which can be restored quickly by an end user in trouble by the simple act of rebooting is a workable concept even if damage is done before noticing a problem and actually performing the reboot.

Forward into the past! Many companies are deploying "remote desktop" solutions similar to the old Unix X-windows client solutions where a simple computer is provided running RDP or PCoIP solutions such as VMWare's "VMWare View" which is an expensive solution, but at least virtualizes the problems inherent in Windows for clients. Other vendors are also in this space. "Cloud computing" offers a similar environment with similar issues.

The unfortunate thing about these solutions however is that the client computer is still running Windows, and there's the problem. The end user is still going to get infected and connect to your network because these solutions don't offer much protection between reboots.

At least with "remote desktop" solutions, it's a bit more difficult to infect the user programs on the server side of the connection, but even that won't stop "pollution" of the kernel on the client machine with bots and rootkits and keyloggers. But it's at least something.

One of the other attractive solutions lately involves using a Linux LiveCD. This eliminates the "Windows" issues fairly well and heightens the degree of security considerably. But there are a few downsides here as well.

There are numerous Linux solutions, and LiveCD's serve primarily as a demonstration of a particular distribution and need the end user to actually install the Linux distribution onto their hard drive in order to make functional use of the product. And Linux also requires that the end user then configure it properly for their use and here similar problems crop up to users "adjusting" Windows.

Linux has been around for a very long time now and while it's comfortable for most administrators, it's proven over the years to be difficult for most end users and is considered far too complicated for them to use.

Like any other operating system installed directly to a hard disk, there is no real way to prevent modification or inadvertent damage to the installation, requiring as much help desk support if not more than Windows owing to its high degree of complexity for "non-savvy" end users.

I've personally blown up more Linux installs than I can count. But it's pretty much the only viable option in the marketplace for replacing Windows on the desktop until now.


As a software engineer specializing in hardware, kernel and security design it became obvious to me back in 2006 that the war on malware was being lost. And at that time, the criminal enterprises we face today had only begun to displace the kids and pranksters and now represent a far more formidable foe. It was pretty obvious that things were not going to get any better unless an entirely different approach to malware was taken.

I designed a toolkit and facility which would allow us to build fully customized, complete, BSD-based "client computers" to the exact specifications of corporate IT departments and end users specific to their individual requirements for bulk distribution. This became "The KNOS Project."

KNOS represents a clean break from competitive operating system designs with ease of use, a familiar interface, and a truly complete suite of applications deliverable on a bootable DVD, USB stick, or even as an OEM installation onto "hard drives" with absolute security and protection against threats including "the end user."

I like to think of it as delivering a Windows equivalent with the reliability of a Mac with the philosophy of "it just works." You just boot up and no drama for anyone. No security popups, no annoyances, no help desk, just use your machine and get things done. Isn't that what all desktop users wanted to begin with?

In our revolutionary design starting with the FreeBSD kernel, we build the kernel only with what is required for it to run as a desktop environment in a particular end user situation. There's no debug hooks to exploit, no servers lit other than for handling security at the kernel level, and no exploitable modules presented to the outside.

In addition, userland and kerneland are completely separate owing to unique features of the BSD architecture. Windows malware won't work, and Linux or OSX malware won't either. Thus if an end user were to receive a malicious file, it can't do anything in KNOS. And BSD has an exemplary record of absolute security.

Of course, the first question any rational security person would have is "but what happens when they write malware for KNOS?" I'd wish them the best of luck and that's based on my background in security and malware. The effort that I once put into antimalware was at the core of KNOS' design.

From the security standpoint, we're not just another "read only medium" we've taken it far beyond that which is the reason why KNOS can be installed on writeable media as well with only the most minimal reduction in that "absolute" of security. And we hedged our bets heavily there too.

KNOS runs entirely in memory. It cannot be written to, and it cannot be modified either. The end user cannot install or modify any part of the operating systems or its installed, APPROVED software. Every application in KNOS has been vetted and approved by BSD, and then again by us with full auditing of the code of each application. When KNOS is turned off, anything which occurred while it's running is gone, no matter what.

Applications within KNOS are virtualized and fully locked down as well with fixed configurations determined at the time of build. And while end users can reconfigure their applications and customize, those are not retained across a reboot either unless they choose to have KNOS backup their application settings to an external device using only text-based, non-executable configuration files which can be restored after the next boot.

KNOS can also be customized to interact with on-site and remote servers as well as cloud-based systems securely which can allow users to store and retrieve configuration information there as well as their work documents and files.

KNOS will even allow them to read from an existing hard disk on their machine but will not allow them or anything else to be able to write to it. This permits users to retrieve documents and work on them, save them to other media and keep the existing Windows on their hard disk completely untouched and secure.

Among the many customizations possible for a KNOS build, we can provide thin clients for cloud computing, custom Kiosk designs; test, recovery and analysis versions for computer technicians, as well as full office suites and more. KNOS can be built for antivirus companies to seek and clean the most difficult rootkits. Because KNOS is designed to be customized, it can be built to any specific end user environment which is required with any applications or tools desired.

We also have a generic public version which was the outcome of our last round of beta testing which is quite complete and useful at a price of $35.00 for a single copy with one year of subscription updates available now. Perhaps the single biggest benefit to KNOS on desktops is the major reduction in licensing costs for all those applications the end user needs in addition to just the cost for the OS itself. A substantial savings!

KNOS was designed from the start with Grandma, Uncle Todd and Aunt Tilly in mind throughout. Our "prefab end user version" comes complete with OpenOffice, Firefox as well as the Epiphany HTML5 browser, GIMP, Inkscape vector graphics, chat and torrent clients, Skype and SIP telephony and a full featured video editor along with full multimedia support including players all built in.

KNOS is intuitive in its user-oriented design and is as familiar as Windows to them with no learning curve required and no configuration or installation on their part. Simply boot it up and go.

If your "house" would like us to build a custom version for your specific needs, we can do that too and it can be custom branded as well. A free limited demo of KNOS is available for download to permit checking for hardware compatibility. I invite everyone to drop by our site to learn more about our revolutionary solution to end client security. It's quite versatile. And approved by Uncle Todd.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Viruses & Malware
Information Security
Antivirus Microsoft malware Rootkits VMware End Users Knos Project
Post Rating I Like this!
Vulcan Mindm3ld Excellent. This whole series has been very interesting.
Kevin McAleavey Thanks!

It upsets me to no end seeing a situation that many of us saw brewing a decade ago continuing to spiral completely out of control. Even worse seeing how much time, money and work is consumed in cleaning up messes instead of providing our operations with better services.
Priyanka Sharma I think this is one of the most informative and useful series i have ever comes across in the recent time. This also explains why our AV industry needs to change its vision and perspective towards malware.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.