[14304] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Reliance on Microsoft called risk to U.S. security

daemon@ATHENA.MIT.EDU (Victor.Duchovni@morganstanley.com)
Sat Sep 27 11:53:14 2003

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 27 Sep 2003 11:12:48 -0400 (EDT)
From: Victor.Duchovni@morganstanley.com
To: Bill Frantz <frantz@pwpconsult.com>
Cc: Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <v0311070fbb9a82b2f87b@[192.168.1.5]>

On Fri, 26 Sep 2003, Bill Frantz wrote:

> The real problem is that the viewer software, whether it is an editor, PDF
> viewer, or a computer language interpreter, runs with ALL the user's
> privileges.  If we ran these programs with a minimum of privilege, most of
> the problems would "just go away".
>

And what privileges should the Perl interpreter run with when I click on a
".pl" file? How would the graphical shell know what privileges to assign
to each file?

Also security is not closed under composition, two individually secure
components can combine to produce an insecure system. I think that no
such secure *non-trivial* least privilege system exists for a
graphical general purpose computer either in theory, or in practice.

On the other hand a *trivial* privilege system: "View" (zero privs) vs.
"Run" (full privs) is viable, and is one of the pre-requisites for a more
secure UI, along with the previously discussed trusted path issues,
non-spoofing of the security interface, ...

-- 
	Victor Duchovni
	IT Security,
	Morgan Stanley

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post