[4769] in WWW Security List Archive
C2 improves executable content security, but doesn't solve the prob (was Re: Why do you think you can trust PC software? (was Re: Latest Java hole is Netscape/Sun only))
daemon@ATHENA.MIT.EDU (Jay Heiser)
Tue Mar 11 17:16:17 1997
Date: Tue, 11 Mar 1997 14:33:59 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Having file permissions (UNIX & NT) is a good start, but I don't think
merely using a C2ish operating system for your browser platform offers
significantly better protection from hostile executable content.
Correct me if I'm wrong here:
1) Typically, user tasks run with all the permissions that a user has at
login. If a task goes awry, or is hostile, it can nuke all of that
users files. Fortunately, it won't nuke the entire system, unless the
user is logged in with full admin privs.
2) Its possible to limit the capabilities of a running application, but
experience on UNIX with this has been dismal (lpr, sendmail, etc).
3) IMHO, its harder for an inexperienced user to safely setup a UNIX box
then it is for Win95, DOS, or the Mac. Given that most versions of UNIX
respond to a variety of network protocols by default, a newbie would be
much more at risk to use UNIX than Win95. UNIX is just not safe out of
the box. It should be professionally administered if used on the
Internet, but the 'less fortunate' operating systems you refer to don't
have risky server daemons.
4) Do you want to make the case that NT is the most appropriate choice
for users who must maintain confidentiality/integrity/availability on
their workstation and still desire to access anonymous executable
content or selectively grant privs to trusted executable content? (or
alternately, heavily administered UNIX) That's great, I'd like to
learn more about your ideas, but you need to flesh out your argument.
Implemented correctly or not, the Java security model has 3 protective
mechanisms, none of which UNIX or NT has, The code verifier, the class
loader, and the security manager (which in its current configuration is
much more draconian than mere ACLs or file permissions). Also, its easy
to believe that Java code is less likely to fail in security-relevant
ways than C is.
Neither NT nor UNIX was designed with any thought to the implications of
'executable content.'
Bob Denny wrote:
>
> > If you want to trust your bank's digital signature, you should be able
> > to let the bank's Java applet selectively modify data on your
> > PC--without concern that it could ever pollute anything else on your PC.
> >
> > Given that current desktop operating systems do not provide this
> > capability, we have to rely on kludgy add-ons. The idea of an
> > intrinsically safe operating system is very appealing.
>
> Well, the desktop operating systems you refer to must be Win95 and the MacOS.
> Because the unix flavors and WindowsNT all have this capability. And the Java
> SecurityManager is a flexible thing, it happens that both Netscape and
> Microsoft ratchet it down to the minimum (and rightly so for now). The
> SecurityManager is another place to hook controls into for those less
> fortunate desktop OSs. Make the settings easy, like a choice between "hardened
> criminals", "juvenile offenders", "casual acquaintences", "friends and
> family", and "me". Five levels ought to be enough.
>
> -- Bob
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
