Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
Operating Systems Need Pervasive Sandboxes
1 point by compsciphd on Feb 19, 2013 | hide | past | favorite | 7 comments
While code will always be buggy, application oriented hacks shouldn't be that damaging.

Our OSs should be doing more to protect us. We should be applying sandbox's across the board.

Yes, it requires us to think a differently about how we construct apps, but there's very little reason my "web browser" needs full access to my computer. In fact, there is zero reason why my banking and general browsing browser sessions should be running in separate sandboxes. They can be the same underlying binaries, but they should be running as separate processes in kernel enforced sandboxes with some OS provided UI sugar to enable to the user to differentiate.

Apps shouldn't be viewed as single programs, but as the collection of programs needed to do a job. your web browser app is firefox, chrome,... + whatever needs to run in its same space (i.e. plugins). You banking browser app might be the same underlying firefox, chrome... but without any of the plugins.

Of course, web browser's also have external helpers for downloaded content (office apps, media viewers...). All one needs is the ability for a program in one sandbox to launch programs in a separate sandbox.

Now, this is a problem, as they can infect that other sandbox (i.e. don't want a malicious PDF forever infecting my PDF viewing sandbox). But here we can have ephemeral sandboxes. Every time firefox hands off a pdf to a viewer, the OS creates a new sandbox instance that is thrown away once it's finished. Even if you do view a malicious file, it's changes it would be thrown away once you stop viewing it

Of course the big elephant in the room is depending on the kernel providing the proper enforcement, the obvious direction an attacker will take is to try an attack the kernel itself from within the sandbox. However, most of these compromises are user level compromises and there's minimal reason our OS's should be allowing them to happen.

thoughts?



With all due respect HN is not your blog.


generally when someone uses "with all due respect", they mean they don't have much respect :)

what's the difference between writing this up on a blog and linking to it and just including the content here?


I meant it politely. A terse "HN is not your blog" sounds rude in my opinion. I think manners and social graces are important.

One of the big drawbacks in my opinion is that your post contained no links, because it could not. Because you can't put links in I think it means less research[1] and effort is put into the post. I also think that setting up your blog somewhere else raises the level of investment ever so slightly that it cuts down on some frivolous posts. Finally the domain to your link would appear at the end of the post title. I use the domain (and I think others do to) as an information filter.

[1] See http://wiki.qubes-os.org/trac/wiki


I'd also point out, that my main motivation in writing this was to provoke discussion (a few links provided, though probably wish there was more). I honestly figured this was the best way to accomplish it in a centrally located comment area. though I do take your critique to heart.


ah. Qubes is interesting. I'd point[1] to my paper in Usenix ATC 2010 (which is a somewhat longer version of my post) it seems they adopted a bunch of my (though perhaps others had them first, none of the reviewers ever called me on them though) ideas.

[1] see http://static.usenix.org/event/atc10/tech/techAbstracts.html... (also useful if you are having trouble falling asleep).


Yep, see EROS and Capsicum.


yes, though those require things to be seriously rewritten, I'm not convinced this can't work with existing code and putting the changes into the OS itself. Unconvinced apps needs fine grained sandboxing, even if they can benefit from it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: