Re: Friendly and secure desktop operating system

[Timo Sirainen <tss () iki fi>]

On Tue, 2003-10-14 at 05:41, Valdis.Kletnieks () vt edu wrote:
> > classifying software simply to "trusted" and "untrusted" isn't enough. I
> > don't want my "trusted" web browser accessing files in my home directory
> > (due to security holes in it) unless I specifically tell it to upload or
> > download them.
>
> About the only way to do this is to use an OpenSSH-style privsep, where the main
> browser runs in ONE compartment, and file up/downloads are handled via a temp
> directory/whatever and a separate entity that copies the stuff from temp to home.
> And even then you can't do a good job of keeping the main browser from lying to
> the helper if the main browser is subverted....

You're thinking about how to do it currently in UNIX world. I'm thinking
about adding new concepts in kernel level. systrace would be much more
closer to it than chroot jails.

But yes, privilege separation is the main point. Preferrably each web
page would run in it's own process so any security holes in rendering
couldn't affect other currently opened web pages. Web page process would
have access equilevant to Java applets - it could mostly just write to
limited area in a window and connect to the host where it was loaded
from.

What is missing from systrace and others is the ability for processes to
pass some of it's existing privileges to other processes and ability to
drop privileges completely. For example I should be able to make a
process that can access only files inside ~/.temp/1/ directory. That
process should be able to make another process that can access files
only inside ~/.temp/1/2/ directory. Process 1 should be able to grant
existing process 2 access to other files inside ~/.temp/1/ as well.

The file upload would then be done something like:

- You have a File Open/Save service process that has access to all files
in your filesystem. This really needs to be free of security holes. It
would be also responsible for showing the open/save dialogs in screen.

- Web browser's Upload function makes an IPC call to File Open/Save
services process.

- Open file service process shows the Open-dialog and lets user select
the file(s) he wishes to upload.

- Open file service process sends read-only file descriptor(s) to web
browser process of the selected files via IPC (or maybe it just grants
open() syscall access to the file).

- Web browser uploads the files, closes file descriptors and it no
longer has access to them.

Downloading would work pretty much the same.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html