Reliance on Microsoft called risk to U.S. security

Wed Oct 1 00:21:33 EDT 2003

Bill Frantz <frantz at pwpconsult.com> writes:

>The real problem is that the viewer software, whether it is an editor, PDF
>viewer, or a computer language interpreter, runs with ALL the user's
>privileges.  If we ran these programs with a minimum of privilege, most of
>the problems would "just go away".

This doens't really work.  Consider the simple case where you run Outlook with
'nobody' privs rather than the current user privs.  You need to be able to
send and receive mail, so a worm that mails itself to others won't be slowed
down much.  In addition everyone's sending you HTML-formatted mail, so you
need access to (in effect) MSIE via the various HTML controls.  Further, you
need Word and Excel and Powerpoint for all the attachments that people send
you.  They need access to various subsystems like ODBC and who knows what else
as an extension of the above.  As you follow these dependencies further and
further out, you eventually end up running what's more or less an MLS system
where you do normal work at one privilege level, read mail at another, and
browse the web at a third.  This was tried in the 1970s and 1980s and it
didn't work very well even if you were prepared to accept a (sizeable) loss of
functionality in exchange for having an MLS OS, and would be totally
unacceptable for someone today who expects to be able to click on anything in
sight and have it automatically processed by whatever app is assigned to it.

Even if you could somehow enforce the MLS-style restrictions and convince
people to run an OS with this level of security enabled, the outcome when this
was tried with MLS OSes was that users would do everything possible to bypass
it because it was seen as an impediment to getting any work done: SIGMA
eventually allowed users to violate the *-property to avoid them having to re-
type messages at lower security levels (i.e. it recognised that they were
going to violate security anyway, so it made it somewhat less awkward to do),
Multics and GEMSOS allowed users to be logged in at multiple security levels
to get work done (now add the 1,001 ways that Windows can move data from A to
B to see how much harder this is to control than on a 1970s system where the
only data-transfer mechanism was "copy a file"), KSOS used non-kernel
security-related functions ("kludges") to allow users to violate security
properties and get their work done, etc etc.

One thing that I noticed in the responses to "CyberInsecurity: The Cost of
Monopoly" was that of the people who criticised it as recommending the wrong
solution, no two could agree on any alternative remedy.  This indicates just
how hard a problem this really is...

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com