Date: Wed, 29 Oct 2003 01:06:19 +0200 From: Timo Sirainen <tss@iki.fi> To: Johnson David <DavidJohnson@Siemens.com> Cc: advocacy@freebsd.org Subject: Re: Friendly and Secure Desktop Operating System Message-ID: <1067382379.15032.192.camel@hurina> In-Reply-To: <200310281356.37268.DavidJohnson@Siemens.com> References: <200310281533.26611.dgw@liwest.at> <200310281129.10669.DavidJohnson@Siemens.com> <1067374359.15026.126.camel@hurina> <200310281356.37268.DavidJohnson@Siemens.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2003-10-28 at 23:56, Johnson David wrote: > > Of course it's better to try to prevent them, but I don't think it's > > really possible without getting on the way of user. > > All security gets in the way of the user. No it doesn't. I've given a few examples already (open/save service especially) and there's a few more examples below. If you accept that it doesn't need to, my ideas would make more sense to you. > The trick is to balance the inconvenience of the user with the security > of the system. That means you can't have a perfectly secure system > which will usable. You have to make some tradeoffs. It's hard deciding > what to give up. Sure, there has to be some tradeoffs, but I think it's possible to make a desktop system which works securely _for most people_ without any user inconvenience 99% (or more) of the time. That's what I'd like to get people to believe in. The web page gives some ideas and examples why I believe it's possible, but if they're not enough to convince you, the purpose of the page has failed and none of the few ideas really matter. Once you believe that such system would be possible, it's just a matter of thinking all the details. Do you have any specific reasons to believe why it would not be possible? > > Operating system MUST prevent malicious software from: > > > > - Modifying or erasing sensitive data > > - Transferring sensitive data out of your system > > - Affecting other software in any way > > How do you know it's "malicious" software? All software by default is potentially malicious and OS should treat it as such. > Is the software writing to the > first sector of a drive malicious, or merely a utility being run by the > administrator to prepare a partition for dual boot? When installing the software, it would request access for the raw hard disk device. Yes, that's an inconvenience to user who wants to do it. Does such user belong to "most of the users" category? No. How often would you install such software and be required to answer to the privilege request? Few times at most. I'm sure you can think of several peculiar software requiring extra privileges, but can you think of a single such software that's actually used by considerable percentage of people? Networking is the only problematic area I can think of. > > > Here's another: "Word Processors... No privileges needed." Those > > > who ignore the lessons of history are doomed to repeat them. > > > > Oh? What privileges does it need then? My idea of a word processor is > > that it should be able to read and write document files with it, > > nothing else. I already described the open/save file service for > > that. > > I was thinking of two things. First, a whole slew of MSWord exploits. Word processor could run each document in separate protected process. Macro worms and such wouldn't be possible since the worm could affect only the document itself. Anyway, that's not an extra privilege. Even given a word processor not capable of that, exploits couldn't touch more than the files that are already opened. That's considerably better security than currently, available to you with no tradeoffs between security and ease of use. > Second, an observation made by JZW (I think) that says all software > expands until it eventually becomes a mail client. Well, mail client was the only one in my list that actually required some privileges. Anyway, I don't think this is a very good point. One piece of software doesn't have to do everything. It can ask other software to do things if it really wants to and still be secure. For example if word processor wants to have "send this document as email" functionality, it can just as well prepare the mail and ask primary e-mail client to send it (which would pop up the mail compose window asking for destination address - again security without user inconvenience). I'm not saying that it would be possible to run all existing software securely with such OS, just that it would be possible to design such OS and create quite easily software which would run securely without bothering user with security stuff, and such software could quite easily be created by modifying existing software. > Implicitly trusting > a class of applications just because they are word processors is > dangerous. Right, that's what I've been saying all along. Don't trust any application - make it possible to run them securely without bothering user about it unless absolutely needed.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1067382379.15032.192.camel>