The perfect attack against your security?

Munir Kotadia at ZDnet has an article based on an interview with Patrick Runald (F-secure) which describes what they term the "perfect attack". The article basically says:

A socially engineered e-mail, which contains a trojan file that exploits a zero-day vulnerability and then hides behind a rootkit, might be the perfect attack and impossible to defend against.

The emphasis is on the situation where opening the infected attachment is socially engineered, e.g. it may be part of your job to open attached documents. There were no suggested solutions, and the primary (and good) advice given was simply to regularly ensure your system is patched/updated.

However, there are other security models where the effectiveness of this type of attack can be restricted. Suppose, simply to use a similar example to theirs, that the flaw is in your pdf viewer that you use to view CVs. You view a maliciously crafted pdf, and under the proposed scenario, due to a zero-day vulnerability in the viewer, a root-kit is installed. But, what if the pdf viewer was only permitted resources and access to the system that it requires to do its job (i.e. the resources required to view pdfs)? The operations necessary to install a root-kit are outside the normal things a pdf viewer needs to do. If the pdf viewer is restricted in it's use of system resources and access in this way, then the consequences of a flaw in the viewer are significantly limited. This type of security, where programs are only permitted resources and access they need to do their tasks, is part of Mandatory Access Control (MAC).

Clearly, the attack will still work if there is a flaw in the MAC system and in the program such that it allows use of the MAC flaw. An important part of the MAC implementation is that it is entirely separate from the programs/software it confines. It is the MAC system that prevents access to resources, not the program itself. This can, in effect, provide a double layer of protection (two coordinated flaws are required). A nice example of the usefulness of MAC arrived in my security box as I was writing this. A flaw in the apache web server which allows it to be coerced to send termination signals to other programs (CVE-2007-3304) can lead to denial of services. A system running SElinux (an implementation of MAC on Linux) with the default policy is not vulnerable to this.