11:36 Safety issues of modern os | |
| This post is a criticism of the existing approach to security in the modern operating systems. In addition to critics will suggest ways to address these issues. Considered to be Linux, but I think that the situation is just as deplorable in the BSD and other Unix, including MacOS, Windows on it, too, is spreading. This post is an expression of personal opinion, formed in the last few years using various distributions of Linux and Windows, Mac OS X. What I actually do not like? And I do not like the system users. It is certainly better than nothing, but very weak. All restrictions, rights, and other pieces of safety come from the fact that we do not trust the software: we do not trust the browser, for which there are exploits, PDF viewer, not to mention the new software obtained from unreliable source. Received it in binary form or source code is not particularly affect the situation. Compromised version of the source program, too dangerous. So an exampleAs an example, take your monitor. To do this adequately describe the desired in / etc/X11/xorg.conf. You can do this by running the utility xorgconfig or editing xorg.conf directly into a text editor. But there is but it is: the right to write the file owned by root. Response:1. Xorgconfig run as root, configure, write. 2. Xorgconfig run from yourself, create a configuration file, save your folder and then from the root with cat or cp rewrite xorg.conf. 3. Run from the root text editor and go to edit. 4. With the help of utilities chown or chmod running with root privileges allow users to write to that file, then write custom tools, and then again closed to other nepovadno was. Conclusions:What I do not like: in any case one of the programs receiving Rutaceae right Rutaceae all right! I have a user wanted to only write the corresponding program in xorg.conf, but she can now write passwords and all that wants to create a user, add the kernel module, yes anything! Yes, I understand that we trust software written by the community, but where need security there is no trust. The program comes on the channels of communication, written by men, and even getting good distribution, there is no guarantee erroneous data, which may lead to arbitrary code execution. Example 2Production. Actors: Director (conditional face of the external interface of interaction between enterprises, it also has the highest authority). Security. Turner. Driver. Normal businessActive FirstDirector turner: "Here's a drawing blanks and tools at the warehouse, a period of 3 days." Turner in stock: "Give me the tools and blanks!" Protecting the warehouse: "Since when is fright?" Turner: "And here is an indication of the director and permission to get five pieces in stock and 3 cutter." Security: "Take and sign!" Three days passed, Turner made the details, time of shipment. Act IIDriver leaves from the plant with a load, continuous. Driver: "Open the gates!" Guard: "Why are you taking? We're on it, and guard that someone has got the floor of the plant is not taken out! " Driver:" But the order, invoice, description of the goods and number, date of export and destination, here's an export permit from the plant! " Safety checks documents, checks the load and lets the driver. Enterprise-security-style UnixAct of FirstDirector turner: "Here's a drawing blanks and tools at the warehouse, a period of 3 days." Turner in stock: "Give me the tools and blanks! " Protecting the warehouse:" Since when is fright? " Turner Director:" Do not give anything in stock, no rights. " Director turner:" Here's the complete power of attorney to manage Works on behalf of the director! " Turner:" Thank you " Three days passed, Turner made the details, it's time of shipment. Act IIDriver leaves from the plant with a load, continuous. Driver: "Open the gates!" Guard: "Why are you taking? We're on it, and guard that someone has got the floor of the plant is not taken out! " Driver Director:" Protection of the gate does not open, how I'll take the order then? " Director of the driver:" Here's the complete power of attorney to control plant on behalf of the director! " Driver:" Thank you " Now, about why I wroteIn my opinion, users in the system must conform only to the people, no super-user should not be. Program to be rewritten system configuration file must have the right only to write the file and nothing more. This should be a natural way to continue the Unix way: «One problem - one application" that allows a program to do just what they need. Who should control? Operating system. By definition, the operating system is a software suite to provide client programs access the hardware. So she must control it. The program uses the system functions for working with files and devices, and so these functions and should check whether there is appropriate security clearance. Not so, as is done now, when just checked the appropriate user, and that he can. Even a simple text editor, the user starts editing the file should get the right only to that file and no other! Thank you for reading so many letters. At the moment when the user starts vim with a file name as a parameter to the console interpreter parses a string that causes vim and feeds him to the parameters, in principle, vim can safely ignore this parameter and do whatever he wants with all the user files. One solution lies in the fact that the OS to control what the user wants. Command-line options and system file selection dialog should be handled OS, and only to the files the program should get access. Exactly the same happens when installing programs and packages. The program deletes itself (the script is removed), but it is awful! Is not the OS disk, the program issued for specific files, do not challenge the OS is to manage and issue the program structure? If the restaurant will not be janitors, even if accurate visitor, he will turn into a cesspool. This is a direct function of the OS, to take away from the program what it once was given, rather than politely ask her to samoudalitsya and then not even control what was left. OS installation should benefit from logging that much established that the recovered and deleting back into place. The solutions to the existing UnixPartial crutch to solve these problems is to create a pile of users for different actions, such as user who can only edit xorg.conf and the like, but it's a huge number of users and it is simply impossible to work on that computer will have to remember which user that is allowed to run and all of these users, and a little non-standard action, and once again take root and create the corresponding user to a specific action. The solutions to the new OSI propose to do something like the power of attorney given to the user, ie transfer of rights of the user program, not all. Ie for example, your browser must be able to just ask for information from the network to send information to write your own caches in a specific location on the disk, and save documents in the allotted space on the disk by the user, he should not have read all yuzersky documents. And then refresh your browser is not on https, the user starts it, and all your documents are gone hacker Pete, and nobody noticed. I suggest something like a firewall, not only for networks but also for the drive and other equipment. And most importantly it should not be a sandbox, virtualization, IL car or other interpretive technology, it is possible to implement this in native code, just a function of the operating system must verify that the user has requested and what the program does. Running programs for data processing should make the operating system, and it must know what data the user wants to process and provide the program to only handle them. ConclusionsTo give the program a lot of rights - is bad, you need to completely alter the security system of modern operating systems. Outstanding issues still many illiterate users even more, but I think, to correct the situation needed. UAC from Microsoft is moving in this direction, but somehow crooked. PS: For opechatak and inaccuracies please contact the habrapochtu. A further exampleBased on comments xenon How do you usually (from the shell) running movie: mplayer filename.avi In this case, the program is run mplayer, and it can do all that user can do, but it does not erase all yuzersky files (although it could b - thanks to her), but only reads the specified filename.avi. That if the program is "good" thing that we can not count. I propose that when the mplayer filename.avi MPlayer OS has banned all-all-all, but gave access to filename.avi. The result is that the user has not got up for their rights, and the program received the necessary rights, and can not steal your documents. No additional gestures from the user no. Nick does not interfere with what he clearly written, the system allows, not restrict it. | |
|
| |
| Total comments: 0 | |