Hi Johan, On Sun, Feb 23, 2003 at 09:13:42PM +0100, Johan Verrept wrote: > Shaun Clowes wrote: > > >Why do you believe that the responsibility of protecting users from > >themselves should be bourne by the operating system? People who are > >using Personal Firewall systems may indeed want to be protected in > >this fashion but I suspect that for most people this is a non issue. > > Actually, this has little to do with protecting a user from himself, > this has to do with protecting one process from another. How do you > trust any process you have running if malicious code could have embedded > itself and you have no way of detecting this? The answer is that you don't. I am getting the feeling that I'm out in the cold here but if you have malicious code running on your machine there are a myriad of ways it can (and usually will) subvert your actions. Processes are not entities unto themselves, particularly in Windows where so many different components interact (most obviously the GUI with almost anything else). > >When all is said and done, if malicious code can run under your user > >ID then everything you do is compromised, I can't see much point in > >giving ourselves a false sense of security. > > Perhaps not. But do you see a good reason to allow any process this much > power over another unrelated process? Yes, I do. Debuggers can make good use of this functionality, as can tracers. In fact, this functionality is probably used by 100s if not 1000s of programs out there for all sorts of things (particularly given that dll injection was first publicly described in WSJ in 1994). As someone pointed out to me in a private email this functionality is also used by the system while terminating programs. > If this kind of power is needed by > one process over another, it should be implemented implicitly in both > processes or the process should run under superuser UID. Running on the principle of least privilege I'd rather see less superuser processing. The way I see it is that personal firewalls already go to great lengths to pervert the behaviour of the system, I think any functionality of the sort we're discussing here should be implemented by the firewalls and not the OS. To make that point clearer, a firewall system is usually implemented as a kernel driver, it can intercept any system calls it likes globally and enforce whatever permissions it deems appropriate on the call. Cheers, Shaun
