Bill Frantz <[EMAIL PROTECTED]> writes: >The real problem is that the viewer software, whether it is an editor, PDF >viewer, or a computer language interpreter, runs with ALL the user's >privileges. If we ran these programs with a minimum of privilege, most of >the problems would "just go away".
This doens't really work. Consider the simple case where you run Outlook with 'nobody' privs rather than the current user privs. You need to be able to send and receive mail, so a worm that mails itself to others won't be slowed down much. In addition everyone's sending you HTML-formatted mail, so you need access to (in effect) MSIE via the various HTML controls. Further, you need Word and Excel and Powerpoint for all the attachments that people send you. They need access to various subsystems like ODBC and who knows what else as an extension of the above. As you follow these dependencies further and further out, you eventually end up running what's more or less an MLS system where you do normal work at one privilege level, read mail at another, and browse the web at a third. This was tried in the 1970s and 1980s and it didn't work very well even if you were prepared to accept a (sizeable) loss of functionality in exchange for having an MLS OS, and would be totally unacceptable for someone today who expects to be able to click on anything in sight and have it automatically processed by whatever app is assigned to it. Even if you could somehow enforce the MLS-style restrictions and convince people to run an OS with this level of security enabled, the outcome when this was tried with MLS OSes was that users would do everything possible to bypass it because it was seen as an impediment to getting any work done: SIGMA eventually allowed users to violate the *-property to avoid them having to re- type messages at lower security levels (i.e. it recognised that they were going to violate security anyway, so it made it somewhat less awkward to do), Multics and GEMSOS allowed users to be logged in at multiple security levels to get work done (now add the 1,001 ways that Windows can move data from A to B to see how much harder this is to control than on a 1970s system where the only data-transfer mechanism was "copy a file"), KSOS used non-kernel security-related functions ("kludges") to allow users to violate security properties and get their work done, etc etc. One thing that I noticed in the responses to "CyberInsecurity: The Cost of Monopoly" was that of the people who criticised it as recommending the wrong solution, no two could agree on any alternative remedy. This indicates just how hard a problem this really is... Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]