On 10 Dec, 2011, at 11:58 PM, Peter Gutmann wrote:
> Jon Callas writes:
>
>> If someone actually built such combination of OS and marketplace, it would
>> work for the users very well, but developers would squawk about it. Properly
>> done, it could drop malware rates to close to nil.
>
> Oh, developers would do more than squawk about it. Both Java and .NET
> actually support the capability-based security that you mentioned, but it's so
> painful to use that it's either turned off by default (.NET's 'trust
> level="Full"') or was turned off after massive developer backlash (Java).
> Even the very minimal capabilities used by Android are failing because of the
> dancing bunnies and confused deputy problems, and because developers request
> as close to any/any as they can get just in case (exacerbating the confused
> deputy problem).
>
> (One of the nice things about Android is that it's fairly easy to decompile
> and analyse the code, so there have been all sorts of papers published on its
> capability-based security mechanisms using this technique. It's serving as a
> nice real-world empirical evaluation of failure modes of capability-based
> security systems. I'm sure someone could get a good thesis out of it at some
> point).
>
>> Properly done, it could drop malware rates to close to nil.
>
> Objection, tautology: Properly done, any (malware-related) security measure
> would drop malware rates close to nil. The problem is doing it properly...
>
Yes, doing it properly is the key and I'll assert that Apple is doing a pretty
good approximation of it. They are doing more or less what I described -- good
coding enforcement backed up with digital signatures. There are plenty of
people squawking about it. I know developers who've thrown up their hands and
there is plenty of grumpiness I've heard. Some of it reasonable grumpiness, too.
But the end result for the users is that malware rate is close to zero. The
system is by no means perfect, and has side-effects. But the times when
something slipped through the net are so few that they're notable still. (And
some of the malware has been kinda charming, like the flashlight app that had a
hidden SOCKS proxy that let people use it for tethering.) More importantly, the
system does not throw things at the users that they're incapable of handling,
like the Android way of just informing you what capabilities an app needs.
People can and do just hand devices to their kids and let them use them with no
ill effects.
Jon
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography