Wednesday, October 10, 2007

The next generation of operating system security

It should be obvious by now that users are not going to stop clicking on random links to things and/or downloading stuff to run on their PCs.

Anybody pretending that "user education" will prevent the explosion in compromised PCs is just living in a dream world.

Automated testing tools will help with the software produced by some of the bigger players, but the spammers are learning to target less well-known software - witness the recent trojan that hid inside a mod file for a game.

And yet, there is a well-known mitigation technique that is employed by most of the major server programs today, and it's time that technique made its way into the average users' desktop world.

That technique is sandboxing and privilege de-escalation. Server programs do this either by deliberately dropping certain system privileges as soon as they start up, or by creating limited-rights user accounts.

This means that even a successful attack can achieve only a limited amount of damage.

Internet Explorer 6 on Vista uses this technique and calls it "Protected Mode".

I hope this is part of a larger plan to extend this protection to all application programs.

Most application programs do not need very much privilege. It should be possible to mark programs as running in a sandbox, and then applying a privilege filter to program's running process.
This could take the form of additional ACLs stored as extended file attributes with the executable.

For older programs, a look-up database could provide ACLs to extend the initial range of protection.