Secure Coding mailing list archives
RE: Hypothetical design question
From: "David Crocker" <dcrocker () eschertech com>
Date: Sat, 31 Jan 2004 00:02:43 +0000
I think part of the solution involves the concept of trust. Consider a system based on the following: 1. File viewing applications can be marked as "trusted" by the system administrator. Maybe there is some global certification system that provides evidence of trustworthiness to the administrator (who may well be the same person as the end user). The present certificate system could be a start. 2. All trusted viewers have 2 modes of operation: a) A full mode, in which macros, embedded applications etc. can be executed (if such things are really necessary); and b) A "sandbox" mode, in which a file may be viewed but no data on disk modified (other than writing temporary non-executable files), and no connections made to the network or to other programs (except for trusted programs invoked in sandbox mode). In other words, all you can do in this mode is display the document, print the document, or export it in a "safe" format (without macros etc., e.g. plain text or CSV). 3. The email client may only use trusted viewers to open attachments, and such viewers must be invoked in sandbox mode. This arrangement would surely be better than the present situation. Either the operating system would have to support the concept of trust, or the user would specifically have to tell the email client which applications are trusted. Of course, a trusted application might still suffer from buffer overflows and other vulnerabilities even in sandbox mode, and it is here that the operating system has a greater part to play. David Crocker Escher Technologies Ltd. www.eschertech.com
Current thread:
- RE: Hypothetical design question, (continued)
- RE: Hypothetical design question Jason Wilcox (Feb 03)
- RE: Hypothetical design question Robert Shields (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)
- RE: Hypothetical design question ljknews (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 29)
- RE: Hypothetical design question ljknews (Jan 29)
- Re: Hypothetical design question David A. Wheeler (Jan 29)
- Re: Hypothetical design question Paco Hope (Jan 29)
- Re: Hypothetical design question David Harmon (Jan 30)
- RE: Hypothetical design question David Crocker (Jan 30)
- RE: Hypothetical design question Alun Jones (Feb 01)
- Re: Hypothetical design question Paco Hope (Jan 29)
- Re: Hypothetical design question Ken Goldman (Jan 29)
- Re: Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
- Re: Re: Hypothetical design question der Mouse (Jan 29)
- RE: Re: Hypothetical design question Alun Jones (Jan 30)
- Re: Re: Hypothetical design question Jose Nazario (Jan 30)
- Re: Re: Hypothetical design question der Mouse (Jan 31)
- RE: Re: Hypothetical design question Michael S Hines (Jan 30)
- RE: Re: Hypothetical design question Ben Corneau (Jan 31)
- RE: Re: Hypothetical design question Alun Jones (Feb 01)