LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Sandboxed file access

Sandboxed file access

Posted Sep 5, 2012 1:21 UTC (Wed) by reddit (guest, #86331)
In reply to: Sandboxed file access by geofft
Parent article: Ubuntu's new app developer upload process proposal

Wow, looks like that finally someone has decided to create a secure desktop OS.

It only took 30 years, pretty fast I'd say... sigh...

Regarding all the limitations, it seems they are just due to the abysmal design of Mac OS X.

For example, it obviously needs to be possible to request the user to open a directory and get access to all children.

At any rate, I think most file accesses can be handled by:
1. Automatically granting read-only access to system-wide files installed by distribution packages
2. Automatically granting access to ~/.<app>
3. Automatically granting access to files mentioned on the command line
4. Making the GTK/Qt file chooser APIs automagically use the trusted file UI API
5. Perhaps granting access to a file permanently after the first time an application is granted access (so that "Recent files" works)

Note that it is also crucial to redesign the windowing system, so that it is impossible to imitate windows of other applications (as well as making it impossible to simulate input or read input or the cursor position without having focus)

This requires having a trusted process draw the window decorations, and having some way to prevent applications from drawing in their windows in such a way that the user thinks there is a top-level window inside them.

The latter can be done by either:
- Randomizing the color of the title bars every boot, and making it impossible to determine which is the current color (i.e. disallow reading the screen and taking screenshots by untrusted apps)
- Having a bar connect windows to the edge of the screen, as well as an internal border breaking that bar for child windows.
- Always creating new windows maximized and preventing apps from altering the window state (but this requires to teach the user that any window that starts not maximized is fake, which is not the case on current OSes).
- Not allowing windows to be positioned such that a window is fully contained in another (also requires to teach the user about this)

(Log in to post comments)

Sandboxed file access

Posted Sep 5, 2012 1:36 UTC (Wed) by geofft (subscriber, #59789) [Link]

Most of this is covered -- and attacked -- in the literature, and in particular the literature of years and years ago. People have been caring about secure windowing for ages; the first reference off the top of my head is this 20-plus year-old paper about extending X, but I'm sure you can find older things if you try.

Most of the attacks are along the lines of tricking the users, or relying on them not to pay attention. Randomized titlebar colors seem like they will work about as well as secure pictures for anti-phishing for banks, i.e., not actually that well.

Also, you should look at Qubes, from the previous post, which is actually attempting to be a secure desktop OS.

Sandboxed file access

Posted Sep 5, 2012 9:33 UTC (Wed) by khim (subscriber, #9252) [Link]

Also, you should look at Qubes, from the previous post, which is actually attempting to be a secure desktop OS.

Well, it tries to build a secure desktop OS, but, as usual, in the end it'll create secure server OS. On desktop the biggest problem is Dancing pigs problem. MacOS and Ubuntu are trying to solve it by making it inconviniet for the end-user to give full access to the homedir (you need to select files one-after-another to give them to the application). This works: user will send comple of dozen of his (or her) files to-god-knows-where but s/he'll quickly become bored and will just close the program without obtaining these valuable dancing pigs. Not an ideal outcome but much better then what we have today. If you'll add the ability to request the user to open a directory and get access to all children developers will start asking for the access to /home/<username> right and left and dancing pig trojans will follow.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds