[4308] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Adam Shostack)
Sun Feb 9 11:30:51 1997
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <199702090313.WAA15680@life.ai.mit.edu> from Phillip M Hallam-Baker at "Feb 8, 97 10:07:47 pm"
To: hallam@ai.mit.edu (Phillip M Hallam-Baker)
Date: Sun, 9 Feb 1997 08:50:48 -0500 (EST)
Cc: adam@homeport.org, rsheehy@ac4.jjc.cc.il.us, skat@flask.com,
WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Phillip M Hallam-Baker wrote:
| > From: Adam Shostack <adam@homeport.org>
|
| > Seems to me that the Java sandbox stands more in the way of
| > this than the need for a certificate. Once you sign the code, you're
| > golden with ActiveX. With Java, theres still a sandbox in place.
| > Giving the user the control to say 'No, I don't want Java to take over
| > my machine any time it runs' strikes me as a huge difference.
|
| But can we trust the strength of the sandbox? It seems to me
| that the Quicken issue demonstrates a somewhat cavalier attitude
| to extending the abilities of the PC. Before PCs were connected to
| the net the worst outcome was the loss of the PC and all data. Now
| the potential downside is infinite.
You're shifting from 'sandbox is better than no sandbox' to
'is the sandbox enough?' I don't think the sandbox is sufficient, but
I do think its better than the presented alternative.
| We have to abandon the traditional model of computer security if we wish to
| make systems secure on the net. The PC security model is now entirely
| inadequate. The Active X vector is protected to a considerably greater
| extent than CD-ROM. Perhaps people should get used to not loading a CD
| unless it has a certificate.
The PC model was never the traditional model, it said that
security is irrelevant. The traditional model is closer to the VMS
model you discuss below.
I disagree that ActiveX is more protected than a cdrom. An
ActiveX applet can be targeted quietly on accessing a web page.
Maintaining a web page costs ~20 per month. Getting a ActiveX
certificate costs ~1000, for Versign, state filing fees to create a
corparation, etc. Getting a cd into widespread distribution costs
well into the thousands. Also, with the cd, there is evidence of
whats been done. With a web page, the page can be silently sanitized,
leading to plausible deniablity.
| Even certificates are only a palliative, a stopgap solution that is the
| best we
| can hope for until PC operating systems separate management privilege
| from user privilege. When I programmed VMS system there were 32 distinct
| privileges, as a rule I would enable only the ones I knew I needed for a
| particular task. If a program failed for "lack of privilege" I would become
|
| suspicious of why the privilege was needed.
|
| The sandbox concept is a small scale version of the same concept.
| Unfortunately
| to do useful work a program has to have access to critical data. I remain
| very skeptical of the idea that a sandbox can be constructed securely
| unless
| it is part of a radical operating system redesign.
You mean part of an operating system. :) (Phill and I know
that we disagree about the nature of the virus propagation system
Microsoft mislabels as an OS. :)
More seriously, most OSs need the concept of a program being
setuid 'not-really-me.' A program could thus run as a uid related to
yours, protecting your confidential files from it. You don't want it
to run as nobody, because than the nobody account (which anyone can
access) can read your certificate files, your history, your cache.
You don't want it to run as you for the same reason. Perhaps this
could be accomplished with groups with a little planning.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
