Current Vista security is ineffective, we need Sandboxes   -   January 18, 2009

Are you aware that every piece of software you install on your computer could be a security risk? Today's operating systems, such as Windows XP, Windows Vista, and MacOS X allow client software nearly unfettered access to your data. This means that any software you install can read your web browser cookies, your instant messenger conversations, your Quicken datafiles, and anything else on your computer. The data can be sifted through, or even uploaded to the Internet. Read on to learn about how unnecessary this unrestricted access is, and how operating systems could better protect your data.

If any software you install could steal your data, you might think you need to learn how to tell the difference between good and bad software. However, even a skilled software programmer can't idenfity whether a piece of software is improperly accessing your data without tens or hundreds of hours of investigation.

I'll give Microsoft some credit for recognizing the need for stricter operating system security. With viruses spreading rampantly and free software being repackaged with Trojan horses at an alarming rate, the operating system is still the front-line of computer security. However, they don't yet deserve applause.

Dubbed UAC (User Access Control), Vista's new security model allegedly increases your computer security by presenting a visually secure dialog during software installation and other high risk events. The UAC dialog dims the screen and warns the user before new software is allowed to access your machine. The dialog reads "Windows needs your permission to continue." Are you qualified to answer this question? Have you determined that the software you are going to run is safe, and won't steal your data? Of course you havn't. You probably couldn't if you wanted to. However, once you accept the dialog, that software has access to nearly all your data.

Instead of answering Vista's dialog box, I have a question for Vista. Why does my instant messenger client have access to my cookies and my Quicken file?

Consider an alternative model of operating system security, known as a sandbox. Software which is placed in a sandbox operates in an enclosed environment. It can only access data within the sandbox. Create a new sandbox for every single application, and now we don't need to trust applications the way we do today. If an operating system put my instant messenger client in a sandbox, it wouldn't be able to access my Quicken datafiles. Which is fine, because it doesn't need to touch them anyhow.

Consider the venerable MSOffice suite. It only needs access to it's own code and data, and the document in question. The user navigates to the document using the explorer or an open-dialog, which could be easily made secure from application tampering. Once a document is selected, the handle to that document alone would be provided to the MSOffice application to do with as it wished.

This concept may seem familiar, because it's exactly the environment under which web applications operate. You interact with a website via a web browser, but each website is a world unto itself. It's not surprising then, that web-technologies such as Java and Microsoft.NET's CLR have done significant work with sandboxes.

My game software should be prevented from accessing my turbotax returns file. A PDF file converter should be prevented from accessing my cookies. I want to run Quicken on the machine without fear that every application I ever install might be able to siphon off my financial details. Windows, please do something to allow me to run installed software without giving it access to all my data.

Windows, please run all applications in sandboxes.

Posted by jeske at January 18, 2009 12:28 PM