Re: Re: Application Sandboxing, communication limiting, etc.

[Martin Stricker <shugal () gmx de>]

Andreas Sikkema wrote:
> [EMAIL PROTECTED] wrote:
>
> > Seems to me that the average user application doesn't need to open
> > TCP/UDP ports for listening. Attack bots tend to do this kind
> > of thing.
>
> Unfortunately there are applications like VoIP softphones which have
> to have a listener socket (more than one in many cases).

Such listener sockets should be invoked as privileged servers/services,
and the application the user runs only connects via an API to the server
process. So the server can be programmed to only accept certain requests
from the client, which would make it qzuite difficult for malware to
misuse the service.

This is the way many Unix-like systems work by default: non-privileged
users cannot open a network connection, they need to use a system
service instead (like NFS, RPC, a web proxy etc.). If the services are
programmed in a secure manner, they can prevent misuse quite good.

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Red Hat Linux 9 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/