|
Posted by: stak
Posted on: 2007-11-19 19:56:25
I was reading Dan Bernstein's paper on security in qmail (via Bruce Schneier's blog), and his comments on single-source transformations (section 5.2) got me thinking. What he describes is a way (in *NIX) to isolate a program in a sandbox so that it can't do anything other than what it's supposed to. That means that the rest of the system is protected from any bugs in the program.
I was thinking about this, and it occurred to me that all OSs should do this by default. Programs shouldn't be able to open arbitrary files on the disk; there's no real reason to allow it. Programs usually only need to be able to access three kinds of files: (1) input files that are being processed by the program, (2) output files that the result is written to, and (3) settings/configuration files that the program has.
The third category is easiest to deal with: the OS should provide an API to load and store configuration data. Most OSs do this in some way, but usually through files. Instead, the OS should just provide get/set methods for a binary blob (or perhaps key-value pairs) to store per-program configuration data. It would be opaque to the OS, and therefore the OS would not be vulnerable to bad configuration data.
The first and second categories (input and output files) should be provided to the program only after permission is given from the user. In the vast majority of cases, the "Open File..." and "Save File..." dialogs could be used to implicitly obtain permission. The OS would be responsible for opening the file input/output streams and handing them to the program; the program wouldn't be able to arbitrarily open an input/output stream to a file.
There are some programs for which the above is not enough; mostly programs that do batch processing of stuff for which it would be tedious to manually approve every input/output file. In these cases, there could be some way for the user to batch-approve access to files (i.e. "VLC" can read all files matching "My Pirated Content/*.divx").
With current systems, one of the fundamental underlying principles is that a program run by user X should be allowed to do anything that user X can do, unless stated otherwise. I see no reason why this principle should be upheld. Programs having a lower privilege level than the user, such as described above, would probably go a long way towards preventing accidental and malicious data corruption.
|
|
(c) Kartikaya Gupta, 2004-2024. User comments owned by their respective posters. All rights reserved.
You are accessing this website via IPv4. Consider upgrading to IPv6!
|