Full Disclosure mailing list archives
Re: Friendly and secure desktop operating system
From: Timo Sirainen <tss () iki fi>
Date: Tue, 14 Oct 2003 06:21:48 +0300
On Tue, 2003-10-14 at 05:41, Valdis.Kletnieks () vt edu wrote:
classifying software simply to "trusted" and "untrusted" isn't enough. I don't want my "trusted" web browser accessing files in my home directory (due to security holes in it) unless I specifically tell it to upload or download them.About the only way to do this is to use an OpenSSH-style privsep, where the main browser runs in ONE compartment, and file up/downloads are handled via a temp directory/whatever and a separate entity that copies the stuff from temp to home. And even then you can't do a good job of keeping the main browser from lying to the helper if the main browser is subverted....
You're thinking about how to do it currently in UNIX world. I'm thinking about adding new concepts in kernel level. systrace would be much more closer to it than chroot jails. But yes, privilege separation is the main point. Preferrably each web page would run in it's own process so any security holes in rendering couldn't affect other currently opened web pages. Web page process would have access equilevant to Java applets - it could mostly just write to limited area in a window and connect to the host where it was loaded from. What is missing from systrace and others is the ability for processes to pass some of it's existing privileges to other processes and ability to drop privileges completely. For example I should be able to make a process that can access only files inside ~/.temp/1/ directory. That process should be able to make another process that can access files only inside ~/.temp/1/2/ directory. Process 1 should be able to grant existing process 2 access to other files inside ~/.temp/1/ as well. The file upload would then be done something like: - You have a File Open/Save service process that has access to all files in your filesystem. This really needs to be free of security holes. It would be also responsible for showing the open/save dialogs in screen. - Web browser's Upload function makes an IPC call to File Open/Save services process. - Open file service process shows the Open-dialog and lets user select the file(s) he wishes to upload. - Open file service process sends read-only file descriptor(s) to web browser process of the selected files via IPC (or maybe it just grants open() syscall access to the file). - Web browser uploads the files, closes file descriptors and it no longer has access to them. Downloading would work pretty much the same. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Friendly and secure desktop operating system Timo Sirainen (Oct 13)
- Re: Friendly and secure desktop operating system Valdis . Kletnieks (Oct 13)
- Re: Friendly and secure desktop operating system Timo Sirainen (Oct 13)
- Re: Friendly and secure desktop operating system Gary Flynn (Oct 13)
- Re: Friendly and secure desktop operating system Valdis . Kletnieks (Oct 13)
- Re: Friendly and secure desktop operating system Timo Sirainen (Oct 13)
- Re: Friendly and secure desktop operating system Andrew Clover (Oct 14)
- Re: Friendly and secure desktop operating system Timo Sirainen (Oct 13)
- Re: Friendly and secure desktop operating system Valdis . Kletnieks (Oct 13)
- Re: Friendly and secure desktop operating system David (Oct 13)
- Re: Friendly and secure desktop operating system Peter Busser (Oct 16)
- Re: Friendly and secure desktop operating system Ondrej Krajicek (Oct 16)
- Re: Friendly and secure desktop operating system Timo Sirainen (Oct 13)
- <Possible follow-ups>
- Re: Friendly and secure desktop operating system Franz von Sickingen (Oct 14)