Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hypothetical design question

From: "David Crocker" <dcrocker () eschertech com>
Date: Sat, 31 Jan 2004 00:02:43 +0000
I think part of the solution involves the concept of trust. Consider a system
based on the following:

1. File viewing applications can be marked as "trusted" by the system
administrator. Maybe there is some global certification system that provides
evidence of trustworthiness to the administrator (who may well be the same
person as the end user). The present certificate system could be a start.

2. All trusted viewers have 2 modes of operation:

a) A full mode, in which macros, embedded applications etc. can be executed (if
such things are really necessary); and

b) A "sandbox" mode, in which a file may be viewed but no data on disk modified
(other than writing temporary non-executable files), and no connections made to
the network or to other programs (except for trusted programs invoked in sandbox
mode). In other words, all you can do in this mode is display the document,
print the document, or export it in a "safe" format (without macros etc., e.g.
plain text or CSV).

3. The email client may only use trusted viewers to open attachments, and such
viewers must be invoked in sandbox mode.

This arrangement would surely be better than the present situation.

Either the operating system would have to support the concept of trust, or the
user would specifically have to tell the email client which applications are
trusted. Of course, a trusted application might still suffer from buffer
overflows and other vulnerabilities even in sandbox mode, and it is here that
the operating system has a greater part to play.

David Crocker
Escher Technologies Ltd.
www.eschertech.com
Previous By Date Next
Previous By Thread Next

Current thread: