Re: [Full-Disclosure] Friendly and secure desktop operating system
Hi! Have you taken a look at Sun's recent Java-based desktop? Is that what you're thinking of? Isn't it just a slightly? modified SuSe with the Java name slapped on? Java implementations are not secure enough to run arbitrary code. A JVM really is a complex and large beast. And this makes it hard to make it correct and secure. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Have you taken a look at Sun's recent Java-based desktop? Is that what you're thinking of? Isn't it just a slightly? modified SuSe with the Java name slapped on? Java implementations are not secure enough to run arbitrary code. A JVM really is a complex and large beast. And this makes it hard to make it correct and secure. I must be missing a point. What has JavaVM complexity to do with security of Java Desktop? It's just a SuSE+GNOME with J2RE pre-installed (with Gtk look and feel). The 'Java' part of the name is just a business buzzword. One may use Java Desktop every day withnout running a byte of Java bytecode. This all of course does not mean, that the Java Desktop is secure. It just means, that since it is not written in Java, it may be user friendly :). Greetings, Ondra Krajicek || Ondrej Krajicek [EMAIL PROTECTED] || || Institute of Computer Science, Masaryk University Brno, CR || ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Timo Sirainen [EMAIL PROTECTED] wrote: You're thinking about how to do it currently in UNIX world. I'm thinking about adding new concepts in kernel level. systrace would be much more closer to it than chroot jails. Indeed, I've been thinking a lot about how to create the sort of desktop environment you describe, and I don't think it's 'properly' doable within the current Unix-style or Windows operating environments. It would require a pervasive system of fine-grained capabilities, from base OS level right up to user desktop services. Programs would have to get used to pre-requesting each service they require, and cope with being refused (either on policy grounds, or user choice, or the user themselves not having the required rights). There are also user interface concerns (ie. how to prevent an application 'faking' the system security interface). An attempt starting along these lines can be seen in Tiny Personal Firewall. Its interface isn't too great, it's not complete, and of course on a Windows platform there is nothing stopping a malicious process from subverting the protection, but it's an interesting glimpse at the sort of thing we might need. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Timo Sirainen wrote: For a while I've been wondering if it's possible to create an operating system that would allow stupid users to easily do whatever they want, but still prevent viruses and other malware from doing any harm. Today I finally spent a few minutes thinking about it and then wrote some of the thoughts down: http://iki.fi/tss/security/friendly-secure-os.html You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. Goetz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Am Tuesday 14 October 2003 16:51 schrieb Sam Pointer: Goetz Von Berlichingen wrote: You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. or BarbieOS: http://qrxx.4t.com/barbieOS.htm oh - Many of the girls we talked to said that they were tired of constantly patching their Windows systems against the latest Outlook worm, only to find that the patch breaks one of their custom applications or reduces the performance and stability of the operating system... :- -- . ___ | | | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Friendly and secure desktop operating system
For a while I've been wondering if it's possible to create an operating system that would allow stupid users to easily do whatever they want, but still prevent viruses and other malware from doing any harm. Today I finally spent a few minutes thinking about it and then wrote some of the thoughts down: http://iki.fi/tss/security/friendly-secure-os.html I'd like to hear comments about it. I hope it's easily enough understandable, it's really just intended to give some larger ideas and let you figure out the details. I have no doubts that someone else hasn't had similiar thoughts before. If there's any similiar papers or books, I'd like to hear about them. Also note that I believe it would be possible to implement this in relatively short time on top of some existing UNIX system and maybe KDE or GNOME as the user interface. So I wouldn't say it's just a nice dream. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Tue, 14 Oct 2003 02:00:39 +0300, Timo Sirainen [EMAIL PROTECTED] said: http://iki.fi/tss/security/friendly-secure-os.html I'd like to hear comments about it. I hope it's easily enough understandable, it's really just intended to give some larger ideas and let you figure out the details. *sniff* *sniff*.. Do I smell the presence of Java here? ;) (You've basically described the Java sandbox...) Have you taken a look at Sun's recent Java-based desktop? Is that what you're thinking of? http://wwws.sun.com/software/learnabout/desktopsystem/index.html pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Tue, 2003-10-14 at 03:27, [EMAIL PROTECTED] wrote: On Tue, 14 Oct 2003 02:00:39 +0300, Timo Sirainen [EMAIL PROTECTED] said: http://iki.fi/tss/security/friendly-secure-os.html I'd like to hear comments about it. I hope it's easily enough understandable, it's really just intended to give some larger ideas and let you figure out the details. *sniff* *sniff*.. Do I smell the presence of Java here? ;) (You've basically described the Java sandbox...) Well, yes. The sandbox part is very much like with Java, except it would be enforced by operating system rather than JVM. But the sandboxing itself wasn't the only point - sandboxing isn't useful if most software requires access outside the safe sandbox. You really want to have a system where you don't get constantly questions if something is allowed or not, but you still should be able to run pretty much any kind of software you run into. Have you taken a look at Sun's recent Java-based desktop? Is that what you're thinking of? http://wwws.sun.com/software/learnabout/desktopsystem/index.html That doesn't seem to be Java-only desktop. For example it includes Star Office. Security holes in Star Office would still allow full access to user's files. I'd want a system where I can run any software I want and reasonably expect that it can't do any harm besides consuming CPU and memory. Also classifying software simply to trusted and untrusted isn't enough. I don't want my trusted web browser accessing files in my home directory (due to security holes in it) unless I specifically tell it to upload or download them. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I read it, and have a couple comments. 1. The UNIX model does more than protect users from other users, it also protects the system from users. In a Windows world, it is possible for any user to trash the entire system -- not just their data. This is mitigated with Win2K and WinXP where you can create non-admin users, but my experience has been most non-admin users end up getting stuck in the local admin group for convenience and that defeats the purpose. 2. Software application packages -- the stuff users run -- should be installable by non-root users by default. Only if something needs to be installed systemwide should it be done by a sudo. Most single-users only want to install and run software for themselves, not a group. That software can be run as the user -- protecting the system itself. Yes, this still leaves the user's data vulnerable. 3. Honor, like Unix/Linux does, the priviledged port concept and only allow the admin to open ports below 1024. Make it painfully clear whenever any program tries to listen on upper ports on non-localhost. Bells and whistles should go off if anything wants to run as a server service. 4. Make firewalls be included and ON by default. Lock out damn near everything except DNS, DHCP, POP, IMAP, FTP, NNTP and NTP from making it in (and their SSL-variants). If a user knows what SSH or any other service is, then they are probably smart enough to be able to explicitly turn it on. Keep LAN (SMB, NETBIOS, etc.) services off unless turned on by an admin. 5. Make a list of services allowed to make network connections to the outside world. Have all sorts of sirens go off if something attempts to get out and isn't on the list. 6. Educate users about patching and keeping antivirus software up to date. The systems should automatically check daily for new patches/av updates and have a one click install. The problem is, other than a list of trusted programs that each have a list of trusted functions, there is no way for the system to know what is allowed and what is not. However, there may be a way to apply bayesian logic to program activity. Just like spam filters can learn what is and what isn't spam by what spam looks like, a bayesian program filter could (theoretically) learn what virus and malware activity acts like and quarrantine it. I remember Norton Antivirus trying this a while ago, but it wasn't very successful. However, that was a few years back (5?). - -- Charles E. Hill Technical Director Herber-Hill LLC http://www.herber-hill.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/i1IBeljutq/VnacRAjkVAKCP+R00VQi0Tj9JoC/oVV5ziizJCwCcDGfw 6NCh8f+Kgg61NdmG0DG75zg= =FrRv -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
[EMAIL PROTECTED] wrote: On Tue, 14 Oct 2003 02:00:39 +0300, Timo Sirainen [EMAIL PROTECTED] said: http://iki.fi/tss/security/friendly-secure-os.html I'd like to hear comments about it. I hope it's easily enough understandable, it's really just intended to give some larger ideas and let you figure out the details. *sniff* *sniff*.. Do I smell the presence of Java here? ;) (You've basically described the Java sandbox...) Have you taken a look at Sun's recent Java-based desktop? Is that what you're thinking of? Isn't it just a slightly? modified SuSe with the Java name slapped on? http://wwws.sun.com/software/learnabout/desktopsystem/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Mon, 2003-10-13 at 16:00, Timo Sirainen wrote: For a while I've been wondering if it's possible to create an operating system that would allow stupid users to easily do whatever they want, but still prevent viruses and other malware from doing any harm. Today I finally spent a few minutes thinking about it and then wrote some of the thoughts down: http://iki.fi/tss/security/friendly-secure-os.html I'd like to hear comments about it. I hope it's easily enough understandable, it's really just intended to give some larger ideas and let you figure out the details. I have no doubts that someone else hasn't had similiar thoughts before. If there's any similiar papers or books, I'd like to hear about them. Also note that I believe it would be possible to implement this in relatively short time on top of some existing UNIX system and maybe KDE or GNOME as the user interface. So I wouldn't say it's just a nice dream. who is to be the one auditing the (what is it now?) 1.5 MILLION lines of code in KDE to make sure IT is secure? Gnome and KDE are massive application suites, who is to say they are secure? This is also not a thread for FULL DISCLOSURE How many times to people have to point that out? Jimmy Mitchener mvhs.net/~jmitchener ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
I'd want a system where I can run any software I want and reasonably expect that it can't do any harm besides consuming CPU and memory. I don't see how this would be possible if you want the software you run to be able to: 1) Read/Write/Create files 2) Open network sockets It would seem that user errors, malicious software, and/or defects in the software under those conditions would always have the potential for harm. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Tue, 14 Oct 2003 04:28:38 +0300, Timo Sirainen said: I'd want a system where I can run any software I want and reasonably expect that it can't do any harm besides consuming CPU and memory. Also any software I want and reasonably expect are probably hard to achieve at the same time. You get to either sandbox, or use things like SELinux and chroot/jail to restrict them, or solve the Turing Halting Problem (as doing a perfect job of detecting malware is an equivalent problem). classifying software simply to trusted and untrusted isn't enough. I don't want my trusted web browser accessing files in my home directory (due to security holes in it) unless I specifically tell it to upload or download them. About the only way to do this is to use an OpenSSH-style privsep, where the main browser runs in ONE compartment, and file up/downloads are handled via a temp directory/whatever and a separate entity that copies the stuff from temp to home. And even then you can't do a good job of keeping the main browser from lying to the helper if the main browser is subverted pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Tue, 2003-10-14 at 04:31, Charles E. Hill wrote: I read it, and have a couple comments. .. Most of it was about how to run current operating systems slightly more securely. I don't think it's nearly enough to provide good security. 5. Make a list of services allowed to make network connections to the outside world. Have all sorts of sirens go off if something attempts to get out and isn't on the list. Problem is that there's lots of software that wants to go out. Multiplayer games, all kinds of cool software that goes and fetches something out of web. Most people would just start giving access to all software that wants to get out if it was asked half of the time they installed something. 6. Educate users about patching and keeping antivirus software up to date. The systems should automatically check daily for new patches/av updates and have a one click install. This is still too difficult for many people. Only if it was done automatically would they do it. Besides it isn't enough - if you download and run a trojan it's unlikely anything will notice it. You did want to run it after all. And this is exactly what many home users do, my sister's and brother's computers are full of spyware and adware. They know it but don't care enough to restrict what they can do with their computers. Occationally they run some anti-virus and anti-spyware software to clean (most of) it out. Now, imagine if it was possible to run untrusted programs without worrying about it doing anything nasty with your system? No need for anti-virus/spyware for most people. When you close the program it's completely guaranteed to be gone. Imagine allowing web pages to automatically run any kind of plugins they want without worrying about what they could do to your system. Operating system would keep the plugins safely sandboxed. When you closed the web page, the plugin would be gone. (yes, of course it's still not such a good default behaviour, just one example) That is what the friendly and secure desktop operating system should be about. The problem is, other than a list of trusted programs that each have a list of trusted functions, there is no way for the system to know what is allowed and what is not. I don't think most of the software really needs anything special. Most should run happily inside it's own sandbox, accessing files outside the sandbox only when requested by user interaction. I updated the web page with several examples of what privileges different kinds of software would likely need - it's not much. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
On Tue, 2003-10-14 at 05:41, [EMAIL PROTECTED] wrote: classifying software simply to trusted and untrusted isn't enough. I don't want my trusted web browser accessing files in my home directory (due to security holes in it) unless I specifically tell it to upload or download them. About the only way to do this is to use an OpenSSH-style privsep, where the main browser runs in ONE compartment, and file up/downloads are handled via a temp directory/whatever and a separate entity that copies the stuff from temp to home. And even then you can't do a good job of keeping the main browser from lying to the helper if the main browser is subverted You're thinking about how to do it currently in UNIX world. I'm thinking about adding new concepts in kernel level. systrace would be much more closer to it than chroot jails. But yes, privilege separation is the main point. Preferrably each web page would run in it's own process so any security holes in rendering couldn't affect other currently opened web pages. Web page process would have access equilevant to Java applets - it could mostly just write to limited area in a window and connect to the host where it was loaded from. What is missing from systrace and others is the ability for processes to pass some of it's existing privileges to other processes and ability to drop privileges completely. For example I should be able to make a process that can access only files inside ~/.temp/1/ directory. That process should be able to make another process that can access files only inside ~/.temp/1/2/ directory. Process 1 should be able to grant existing process 2 access to other files inside ~/.temp/1/ as well. The file upload would then be done something like: - You have a File Open/Save service process that has access to all files in your filesystem. This really needs to be free of security holes. It would be also responsible for showing the open/save dialogs in screen. - Web browser's Upload function makes an IPC call to File Open/Save services process. - Open file service process shows the Open-dialog and lets user select the file(s) he wishes to upload. - Open file service process sends read-only file descriptor(s) to web browser process of the selected files via IPC (or maybe it just grants open() syscall access to the file). - Web browser uploads the files, closes file descriptors and it no longer has access to them. Downloading would work pretty much the same. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html