Friendly and Secure Desktop Operating System

Timo Sirainen tss at
Tue Oct 28 15:06:22 PST 2003

On Tue, 2003-10-28 at 23:56, Johnson David wrote:
> > Of course it's better to try to prevent them, but I don't think it's
> > really possible without getting on the way of user.
> All security gets in the way of the user.

No it doesn't. I've given a few examples already (open/save service
especially) and there's a few more examples below. If you accept that it
doesn't need to, my ideas would make more sense to you.

> The trick is to balance the inconvenience of the user with the security 
> of the system. That means you can't have a perfectly secure system 
> which will usable. You have to make some tradeoffs. It's hard deciding 
> what to give up.

Sure, there has to be some tradeoffs, but I think it's possible to make
a desktop system which works securely _for most people_ without any user
inconvenience 99% (or more) of the time.

That's what I'd like to get people to believe in. The web page gives
some ideas and examples why I believe it's possible, but if they're not
enough to convince you, the purpose of the page has failed and none of
the few ideas really matter.

Once you believe that such system would be possible, it's just a matter
of thinking all the details.

Do you have any specific reasons to believe why it would not be

> > Operating system MUST prevent malicious software from:
> >
> >  - Modifying or erasing sensitive data
> >  - Transferring sensitive data out of your system
> >  - Affecting other software in any way
> How do you know it's "malicious" software? 

All software by default is potentially malicious and OS should treat it
as such.

> Is the software writing to the 
> first sector of a drive malicious, or merely a utility being run by the 
> administrator to prepare a partition for dual boot?

When installing the software, it would request access for the raw hard
disk device. Yes, that's an inconvenience to user who wants to do it.
Does such user belong to "most of the users" category? No. How often
would you install such software and be required to answer to the
privilege request? Few times at most.

I'm sure you can think of several peculiar software requiring extra
privileges, but can you think of a single such software that's actually
used by considerable percentage of people? Networking is the only
problematic area I can think of.

> > > Here's another: "Word Processors... No privileges needed." Those
> > > who ignore the lessons of history are doomed to repeat them.
> >
> > Oh? What privileges does it need then? My idea of a word processor is
> > that it should be able to read and write document files with it,
> > nothing else. I already described the open/save file service for
> > that.
> I was thinking of two things. First, a whole slew of MSWord exploits. 

Word processor could run each document in separate protected process.
Macro worms and such wouldn't be possible since the worm could affect
only the document itself.

Anyway, that's not an extra privilege. Even given a word processor not
capable of that, exploits couldn't touch more than the files that are
already opened. That's considerably better security than currently,
available to you with no tradeoffs between security and ease of use.

> Second, an observation made by JZW (I think) that says all software 
> expands until it eventually becomes a mail client. 

Well, mail client was the only one in my list that actually required
some privileges.

Anyway, I don't think this is a very good point. One piece of software
doesn't have to do everything. It can ask other software to do things if
it really wants to and still be secure.

For example if word processor wants to have "send this document as
email" functionality, it can just as well prepare the mail and ask
primary e-mail client to send it (which would pop up the mail compose
window asking for destination address - again security without user

I'm not saying that it would be possible to run all existing software
securely with such OS, just that it would be possible to design such OS
and create quite easily software which would run securely without
bothering user with security stuff, and such software could quite easily
be created by modifying existing software.
> Implicitly trusting 
> a class of applications just because they are word processors is 
> dangerous.

Right, that's what I've been saying all along. Don't trust any
application - make it possible to run them securely without bothering
user about it unless absolutely needed.

More information about the freebsd-advocacy mailing list