[14306] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (Jeroen C.van Gelderen)
Sat Sep 27 18:18:46 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 27 Sep 2003 13:51:52 -0400
Cc: Bill Frantz <frantz@pwpconsult.com>,
Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
To: Victor.Duchovni@morganstanley.com
From: Jeroen C.van Gelderen <jeroen@vangelderen.org>
In-Reply-To: <Pine.GSO.4.58.200309271104520.9026@sasas1.ms.com>
On Saturday, Sep 27, 2003, at 11:12 US/Eastern,
Victor.Duchovni@morganstanley.com wrote:
> On Fri, 26 Sep 2003, Bill Frantz wrote:
>
>> The real problem is that the viewer software, whether it is an
>> editor, PDF
>> viewer, or a computer language interpreter, runs with ALL the user's
>> privileges. If we ran these programs with a minimum of privilege,
>> most of
>> the problems would "just go away".
>>
>
> And what privileges should the Perl interpreter run with when I click
> on a
> ".pl" file? How would the graphical shell know what privileges to
> assign
> to each file?
Could it not ask the user? My Apple regularly asks for decisions of
this sort, and remembers the results. So do (popular firewall) products
on the PC. Now, most of these questions are too technical in nature but
point remains that asking question and remembering the answer is
possible.
I continue to believe that few users would grant an email message
access to both the Internet and the Address Book when they are asked
those two questions, provided that the user had not been conditioned to
clicking "YES" in order to get any work done at all.
There is no way around asking the user because he is the ultimate
authority when it comes to making trust decisions. (Side-stepping the
issues in a (corporate) environment where the owner of the machine is
entitled to restrict its users in any way he sees fit. The point is
that the software agent cannot make trust decisions.)
> Also security is not closed under composition, two individually secure
> components can combine to produce an insecure system. I think that no
> such secure *non-trivial* least privilege system exists for a
> graphical general purpose computer either in theory, or in practice.
Are you familiar with the KeyKOS and EROS operating systems and/or
Stiegler's CapDesk, a secure desktop in Java? They are all based on the
Principle Of Least Privilege (trough capabilities) and they manage to
preserve security in the face of composition. Do you consider those
systems to be trivial, or broken? What is the reason these systems
cannot exist in theory or practice?
http://www.combex.com/tech/edesk.html
http://www.erights.org/talks/skynet/index.html
http://www.cis.upenn.edu/~KeyKOS/
http://www.eros-os.org/
> On the other hand a *trivial* privilege system: "View" (zero privs) vs.
> "Run" (full privs) is viable, and is one of the pre-requisites for a
> more
> secure UI, along with the previously discussed trusted path issues,
> non-spoofing of the security interface, ...
-J
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
