| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by mikewarot 1074 days ago

Unpopular opinion: Secure general purpose computing isn't available for the masses. In fact, most people here on HN don't have access to it either. Our current crop of widely used operating systems all share the same flaw, the ambient authority granted to any program that is run to access anything that the user account is permitted to access.

This causes a host of problems, and almost nobody is aware of them, or incorrectly assigns them to other causes. This results in a patchwork of "solutions" like virus scanners, signatures on executables, and a need for users to be exceedingly cautious about what they do with their computers. Because of this need for caution, users don't feel free to experiment with novel programs or web sites, lest their computer be infected with malware, etc.

Imagine your house without circuit breakers, or fuses. Imagine that there were no widespread use of them. The first shorted cord could potentially take down the power grid, and plunge millions into darkness. We can generally agree that circuit protection is a good idea.

When you run a program, you could explicitly specify the resources it is to have access to, instead of giving access to all of your files and folders. In fact, it doesn't even have to work differently in many cases, just replace the calls to file selection dialogs with equivalent calls to "power boxes" which return file access capabilities for the calling program. This allows the user to quickly and easily work in the manner to which they are accustomed, while simultaneously preventing malicious or just buggy code from accessing anything outside of the wishes of the user, no matter how evil the code is.

Spreading awareness of such systems, incorporating capability based security, is a worthy pursuit over the next decade.

2 comments

s1gsegv 1073 days ago

Yes, there's much more work to be done here in the open source community, and I think it might have to be done there due to lack of aligned incentives otherwise.

For instance, on platforms such as Android that are meant to be secure in this way, I can't block an app from accessing the internet anytime it wants. Of course, the reason for that is that blocking internet access would also allow blocking ads, which Google has a negative incentive for.

Large corporations always take advantage of the sandboxing for anti-user features as well. In many apps I can download videos on desktop whether they want me to or not using inspect element etc, but this is often tricky or impossible on Android. Again, corporate incentives are aligned against the user.

link

spacebanana7 1073 days ago

We also need UX innovations that make granular permission management friendly for average users. I suspect good defaults are half the battle here.

If we use the popup approach for 20+ permissions when users download an app, they'll likely say yes to everything, no to everything or be frustrated at how much time they spend setting up their new app. None of these seem like good outcomes.

link

mikewarot 1073 days ago

Permission management - not part of capability based security. That's the bad thing with the same name that happens on cell phones.

Capability based security is more like cash(an economic capability) in your wallet. You take out $5 to buy something, you can't risk more than $5 in the transaction.

With a phone, it's like you enable access to ALL of your money, effectively forever, in a binary manner. (Unless you remember to turn it off later, or the OS does after 3 months of non-use)

Edit/Append - Capability based security dates back to the 1970s. It's perfectly possible to do it with modern hardware. You just need to protect the OS from applications, which anything with an MMU can do. (Or, if you don't have an MMU, you could just run WebAssembly, which is capabilities based)

The key is that instead of giving file names to programs, you give handles (capabilities) at run time, when the user wants to open a file, save, etc. Otherwise the program has NO access to anything by default. (Thus it can't cause unwanted changes anywhere else)

link

spacebanana7 1073 days ago

Ah okay. Is it possible to have capability based security in software at all? Or is the definition such that it must be implemented at the hardware level?

link

EternalCarnage 1072 days ago

The problem of having a "secret" computer (with an operating system) within your computer.

https://youtu.be/1seNMSamtxM

This embedded computer system has access to all your memory devices.

Disabling it? Not convenient.

link