A better watchdog: Overriding the broken security model

Any other tech-related topics
Post Reply
Message
Author
lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

A better watchdog: Overriding the broken security model

#1 Post by lyx »

Account-based security models - or even all hierachical security models - are crap. I know, now most readers will want a justification for such a harsh statement, especially since common opinion stresses so hard how important and good account-based access rights are. Still, i won't explain why it sucks (though, you can get an idea about it from my responses in the following thread: http://www.portablefreeware.com/forums/ ... f=1&t=5705 ). What i will do instead, is explain an alternative proposal and then let you figure out why it provides not only more safety but simultaneusly more freedom and power for the user.


The idea goes like this:

First, we need a monitor of all filesystem activity. Something than can intercept all such requests, and then decide to block them or let them happen. I know that this is possible, because that's how resident AV-software can work.

Then, the user can select a directory, and choose how "internal" and how "external" access *from apps inside that directory* is handled. Imagine a directory-structure like this:

Code: Select all

C:\
D:\
    MYDOCS\
    MYAPPS\
       FIREFOX\
       NOTEPAD2\
       TOTALCOMMANDER\
Let us assume we select the directory D:\MYAPPS. We now get to decide "how apps inside MYAPPS may access things inside MYAPPS" (Internal access), and we get to decide "how apps inside MYAPPS may access things that are outside of MYAPPS" (External access).

More specifically, we are only concerned with write-access. Read access is allowed always. There is a little problem with this, which i will get into at the end of this proposal.

Lets start with the easier part - external access. We get to choose to either allow all external access or block all external access. Thus, everything inside MYAPPS may either access things outside of MYAPPS, or may not. Additionally, we can define exceptions for certain subdirs inside MYAPPS for which the opposite will be true. For example, we can say that things in MYAPPS may not access things outside of MYAPPS, but can make an exception for the subdir TOTALCOMMANDER, because totalcommander is a filemanager which we'd want to give full access.

Thats already everything there is to external access. You simply select a directory that contains app-subdirs, and then say which may write outside of that maindirectory (like a sandbox).

Policing internal access (so, which things in MYAPPS an app inside MYAPPS may modify) works a bit different, and is the key feature of my proposal. We can say if internal access should be restricted or unrestricted. If internal access is restricted, then FIREFOX/ may only write to FIREFOX/, NOTEPAD2/ may only write to NOTEPAD2/, and WINCOMMANDER/ may only write to WINCOMMANDER/. Here again we can define exceptions, by for example saying, that TOTALCOMMANDER/ may internally write unrestricted.

By combining those simple features of internal access and external access, plus exceptions, you can police all your applications properly, by setting just a handful of rules for the superdirectory. And it is "set it and forget it" - you don't need to define new rules, when you add more applications, unless they require an exception. The making of exceptions can be made even easier, by letting the user tell the monitor, that it should ask the user if any app tries to do something that the current rules do not allow. This also can be used to "monitor" new applications for a while, to see how they behave (thus, you can also use this model to create sandboxes for evaluating new software).

This model is a strongly slimmed down version of a larger concept of mine. My original concept required a specialized OS and filesystem to do much more - like i.e. policing network connections the same way, builtin live lookup of portable dynamic libraries, associations, and a few more things. But since such an OS doesn't exist yet, i came up with the "monitor" version that could implement a subset of these features on top of nowadays OSes.

---

Problems:

1.
No writeaccess - fine, but what to do about executions? Can a restricted application execute a system app that formats a partition? For the model to work, such "calls" would need to be handled in the context of the caller. That is: If a file in MYAPPS calls "format E:", then the write access of the format-application would need to be interpreted as originating from MYAPPS - and thus be forbidden. Another approach - the one which my original concept used - would be that for external access, you do not define which OUTBOUND access is allowed, but instead which INBOUND access is allowed (so, you define if access from outside INTO the directory is allowed). While this is more sane (its mutual consent: One agrees my making the request - another one agrees by allowing it), it requires that everything on the computer defines if it allows outside write access - which is okay if the OS is designed for this from the ground-up anyways, but not okay if we try to "patch" a system that isn't designed for this.

2.
Existing applications aren't designed for this. They spread their crap all across the hdd and into the system, and then want write access to this stuff (i.e. registry). The only way to keep the model compatible with such applications is virtualization: Any disallowed write-access would need to be virtualized ala JPE/ThinApp. So, for this model to work in practice, it would need to be part of an application-virtualizer.

3.
Not portable - or at least not unless we have admin-rights. Since WE are supplying the watchdog (instead of it already being available on the system), we need the rights to execute a system driver (kernelland).

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#2 Post by carbonize »

Then you end up with something like Windows Vista that asks for permission every time you do anything.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#3 Post by lyx »

No, you don't (i put an equivalent amount of effort into this reply).

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#4 Post by carbonize »

No, you're right, your idea is far more complicated and and just as flawed as UAC ever was. You are expecting people to specify what directories they want a program to have access to when it is run. 95% of people wouldn't have a clue what is safe and what isn't and would just click allow every time. This is why resident protection such as that provided by SpyBot and Spyware Terminator tend to get uninstalled/disabled because people either just keep clicking allow when it pops up or just get fed up of the pop ups.

People want simplicity. Most computer users don't even know what a directory and have no interest in knowing how a program works. They just want to run the program and have it do what is expected. Or are you prepared to pay for help staff to be constantly answering people when they contact you to say that program X is asking for permission to access directory Y.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#5 Post by lyx »

carbonize wrote:No, you're right, your idea is far more complicated and and just as flawed as UAC ever was. You are expecting people to specify what directories they want a program to have access to when it is run.
Really? Care to quote where i said that? If i remember correctly, the whole point of the model was to make this unnecessary, by making a rule that works for most apps on the SUPERDIRECTORY, and then NOT having to make per-application rules anymore.
95% of people wouldn't have a clue what is safe and what isn't and would just click allow every time.
Well, if they dont care, then i guess they deserve to suffer. This model isn't for people who want to beat TANSTAFL.
This is why resident protection such as that provided by SpyBot and Spyware Terminator tend to get uninstalled/disabled because people either just keep clicking allow when it pops up or just get fed up of the pop ups.
Yeah, because their approach sucks and mine avoids just that.
People want simplicity. Most computer users don't even know what a directory and have no interest in knowing how a program works.
Yup, and as i said, they deserve to suffer, because they want power without responsibility. They want to drive cars without learning the basics of how to use the pedals. I dont care about them - this isn't for them. I dont design for morons. Besides, what these people want and deserve, is not a computer, but a tool - thus, they should get a tool, not a computer.

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#6 Post by carbonize »

Let's just toss out some examples of programs that would not work in your restricted environment.

1 - Web browsers. I personally like to choose where I download files where as your method would limit them to only downloading to their own folder.
2 - Audio player - Unless you're willing to store all your music in the programs folder then you wouldn't be able to edit tags.
3 - Explorers - As you've already said Total Commander and it's ilk would need full access or be pointless.
4 - Email - You going to store all your email in the programs folder?
5 - Anti virus/malware/spyware - Needs to be able to clean or delete files from anywhere.
6 - Messengers - Same as web browsers for when people send you files
7 - Compression utilities - Or are we only going to be extracting to the programs folder?
8 - Downloaders/File Sharing/FTP
9 - Image/text editors
10 - Cleaners such as CCleaner

So that's pretty much most of the types of programs people use regularly.

This is why Windows utilises a variation of your idea but only allows programs to write to the users directory and sub directories and requires permission to write to any of the core directories.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#7 Post by lyx »

carbonize wrote:Let's just toss out some examples of programs that would not work in your restricted environment.

1 - Web browsers. I personally like to choose where I download files where as your method would limit them to only downloading to their own folder.
2 - Audio player - Unless you're willing to store all your music in the programs folder then you wouldn't be able to edit tags.
6 - Messengers - Same as web browsers for when people send you files
8 - Downloaders/File Sharing/FTP
9 - Image/text editors
This is solved in my extended concept, by making the root media directory (docs, music, videos, etc) free-for-all (except perhaps when evaluating new untrusted apps). Media imo should not need protection, because you should have backups of that anyways.
3 - Explorers - As you've already said Total Commander and it's ilk would need full access or be pointless.
7 - Compression utilities - Or are we only going to be extracting to the programs folder?
Those are correct.
4 - Email - You going to store all your email in the programs folder?
YES! PLEASE! Do you know how many clients i have, that are annoyed that they cannot easily backup their mail stuff, or put it on an usb-stick for on the go?
5 - Anti virus/malware/spyware - Needs to be able to clean or delete files from anywhere.
10 - Cleaners such as CCleaner
Ignoring that they're now obsolete and unnecessary: If you need them, make them a system service (system stuff of course has access to everything)


Let me summarize...

With a well set up system (three areas: system, media, apps), the only thing that needs exceptions are filemanagement utilities - how many of those do you need, huh? Sounds great to me.

Seriously, can we now get to discuss actual problems with the model (such as those i mentioned at the end of the first post), instead of debunking arguments of people who do not understand the model?
Last edited by lyx on Sun Sep 19, 2010 7:36 am, edited 1 time in total.

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#8 Post by carbonize »

lyx wrote:This is solved in my extended concept, by making the root media directory (docs, music, videos, etc) free-for-all (except perhaps when evaluating new untrusted apps). Media imo should not need protection, because you should have backups of that anyways.
So like Windows users directories then
lyx wrote:With a well set up system (three areas: system, media, apps), the only thing that needs exceptions are filemanagement utilities - how many of those do you need, huh? Sounds great to me.
A lot actually. As a web dev I need to edit files that are in my local servers directory. I have to edit images that are in that folder and sometimes other places. I have to FTP to and from that directory. I have to extract zip files I get sent from clients in to that directory and occasionally the reverse.
lyx wrote:
carbonize wrote:5 - Anti virus/malware/spyware - Needs to be able to clean or delete files from anywhere.
10 - Cleaners such as CCleaner
Ignoring that they're now obsolete and unnecessary: If you need them, make them a system service (system stuff of course has access to everything)
Even with your method you could still end up with malware causing redirects in browser not to mention wanting to get rid of tracking cookies etc.
lyx wrote:YES! PLEASE! Do you know how many clients i have, that are annoyed that they cannot easily backup their mail stuff, or put it on an usb-stick for on the go?
This is why I use MozBackup and have also Thunderbird set to store emails on the backup drive.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#9 Post by lyx »

carbonize wrote:
lyx wrote:This is solved in my extended concept, by making the root media directory (docs, music, videos, etc) free-for-all (except perhaps when evaluating new untrusted apps). Media imo should not need protection, because you should have backups of that anyways.
So like Windows users directories then
Similiar, but not restricted to "accounts" - you can define anything as a root mediafolder (so, also a dir on an USB-stick). This is the main problem with the model: On an OS that from the ground-up is set up for this, and has apps that work according to this, everything would be easy: You'd only need to define which of your own directories contain media, which contain apps and which should be treated untrusted. But since existing OSes aren't configured that way, you'd need to first make all those rules for system stuff, that should already have been there by default. Perhaps this model indeed doesnt work that well on top of existing OSes.

lyx wrote:With a well set up system (three areas: system, media, apps), the only thing that needs exceptions are filemanagement utilities - how many of those do you need, huh? Sounds great to me.
A lot actually. As a web dev I need to edit files that are in my local servers directory. I have to edit images that are in that folder and sometimes other places. I have to FTP to and from that directory. I have to extract zip files I get sent from clients in to that directory and occasionally the reverse.
Fine, if you have a lot of them, just make a superdirectory for apps that should have full access, and then put them all into this. Remember however, that you do NOT need to do that if all you need is access to media, downloads and uploads (webpages and images too are media). You only need to elevate access for apps that should write to other applications or the system.
lyx wrote:YES! PLEASE! Do you know how many clients i have, that are annoyed that they cannot easily backup their mail stuff, or put it on an usb-stick for on the go?
This is why I use MozBackup and have also Thunderbird set to store emails on the backup drive.
*shrugs* why make stuff more complicated than it needs to be. Nothing is easier and more flexible than just copying a directory, if you know basics about filehandling. Plus, application settings often are closely related to the application version - apps should be selfcontained anyways. Is this portablefreeware.com or did i land on the wrong website?

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#10 Post by carbonize »

lyx wrote:*shrugs* why make stuff more complicated than it needs to be. Nothing is easier and more flexible than just copying a directory, if you know basics about filehandling. Plus, application settings often are closely related to the application version - apps should be selfcontained anyways. Is this portablefreeware.com or did i land on the wrong website?
This is why you would fail. As I already stated 95% of computer users are not computer savvy. If you start making an OS that requires a user to understand about directories and how programs work then you will find yourself only catering to the 5% and that's not a good business plan. In fact it's as flawed as Google's plans for Chrome OS where everything is stored in the clouds and nothing is stored on the system and all temporary files get wiped when you shut down.

And just because this site is about portable apps does not mean we are restricted to talking about portable apps.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#11 Post by lyx »

"Fail" at what? People who do not know how to use a computer? I didn't fail at that because they were never my target. People who can only use a tool, need a tool, not a computer. Existing approaches just are an inefficient series of patchworks to cover up this contradiction. I have no intentions of solving the unsolvable.

And business plan? Where ever did i mention this to be a business plan? You may need to scale back your assumptions about me. My intentions are not to fix the world for everyone, but to provide a theoretically efficient means to let people fix their own world that are capable of fixing their world. My target are just people who are willing to invest the needed effort to control a computer reliably - i'm trying to do that with as little effort NECESSARY, not with as little effort possible at the cost of efficiency.
Last edited by lyx on Sun Sep 19, 2010 8:02 am, edited 1 time in total.

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#12 Post by carbonize »

So you'd be quite happy to write an OS that addresses a problem that only exists with users who would not use your product because it would be to complicated for them? Your solution is only aimed at people who don't actually need your solution.

lyx
Posts: 84
Joined: Mon Feb 15, 2010 1:23 am

Re: A better watchdog: Overriding the broken security model

#13 Post by lyx »

carbonize wrote:So you'd be quite happy to write an OS that addresses a problem that only exists with users who would not use your product because it would be to complicated for them? Your solution is only aimed at people who don't actually need your solution.
Perhaps you may "get it", if you spend more effort into reading and trying to understand, and less effort on baseless assumptions. You started your whole series of replies by not doing that.

carbonize
Posts: 363
Joined: Wed Jan 09, 2008 1:16 am
Location: Bristol, UK
Contact:

Re: A better watchdog: Overriding the broken security model

#14 Post by carbonize »

Actually I've been sat here discussing your idea with a programmer friend of mine who has over 20 years experience as a programmer. He says he likes your idea but agrees that the only people who would see the point of using it are people like us who don't actually need to use it as we know how to keep our systems secure. Don't get pissy just because I'm pointing out the flaw in your plan.

Post Reply