

Operating Systems Need Pervasive Sandboxes - compsciphd

While code will always be buggy, application oriented hacks shouldn't be that damaging.<p>Our OSs should be doing more to protect us.  We should be applying sandbox's across the board.<p>Yes, it requires us to think a differently about how we construct apps, but there's very little reason my "web browser" needs full access to my computer. In fact, there is zero reason why my banking and general browsing browser sessions should be running in separate sandboxes.  They can be the same underlying binaries, but they should be running as separate processes in kernel enforced sandboxes with some OS provided UI sugar to enable to the user to differentiate.<p>Apps shouldn't be viewed as single programs, but as the collection of programs needed to do a job.  your web browser app is firefox, chrome,... + whatever needs to run in its same space (i.e. plugins). You banking browser app might be the same underlying firefox, chrome... but without any of the plugins.<p>Of course, web browser's also have external helpers for downloaded content (office apps, media viewers...). All one needs is the ability for a program in one sandbox to launch programs in a separate sandbox.<p>Now, this is a problem, as they can infect that other sandbox (i.e. don't want a malicious PDF forever infecting my PDF viewing sandbox). But here we can have ephemeral sandboxes.  Every time firefox hands off a pdf to a viewer, the OS creates a new sandbox instance that is thrown away once it's finished.  Even if you do view a malicious file, it's changes it would be thrown away once you stop viewing it<p>Of course the big elephant in the room is depending on the kernel providing the proper enforcement, the obvious direction an attacker will take is to try an attack the kernel itself from within the sandbox.  However, most of these compromises are user level compromises and there's minimal reason our OS's should be allowing them to happen.<p>thoughts?
======
dfc
With all due respect HN is not your blog.

~~~
compsciphd
generally when someone uses "with all due respect", they mean they don't have
much respect :)

what's the difference between writing this up on a blog and linking to it and
just including the content here?

~~~
dfc
I meant it politely. A terse "HN is not your blog" sounds rude in my opinion.
I think manners and social graces are important.

One of the big drawbacks in my opinion is that your post contained no links,
because it could not. Because you can't put links in I think it means less
research[1] and effort is put into the post. I also think that setting up your
blog somewhere else raises the level of investment ever so slightly that it
cuts down on some frivolous posts. Finally the domain to your link would
appear at the end of the post title. I use the domain (and I think others do
to) as an information filter.

[1] See <http://wiki.qubes-os.org/trac/wiki>

~~~
compsciphd
I'd also point out, that my main motivation in writing this was to provoke
discussion (a few links provided, though probably wish there was more). I
honestly figured this was the best way to accomplish it in a centrally located
comment area. though I do take your critique to heart.

------
wmf
Yep, see EROS and Capsicum.

~~~
compsciphd
yes, though those require things to be seriously rewritten, I'm not convinced
this can't work with existing code and putting the changes into the OS itself.
Unconvinced apps needs fine grained sandboxing, even if they can benefit from
it.

