A Closed Off System?

AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"

Wouldn't a live CD do this?

[amanda-backup]

Doesn't a live OS CD such as Knoppix achieve this goal? These are usually built for "everything you need" for a particular purpose. You can still access and create data on disks on that system, but you never corrupt the programs themselves. If all the applications being used are web based, then things are even simpler - simply boot up with Knoppix, open Firefox and you are ready to go.

Re:Wouldn't a live CD do this?

[n3v]

The CD is just one of many possibly medias that could be altered. The CD may stay the same, but what if a rogue program in memory wrote something somewhere else, or stored it's instructions on a remote server. Things may still be exploited some way in which the original authors did not intend..

At least a reboot should help the issue ;p

Re:Wouldn't a live CD do this?

[hey!]

I don't know if they're still sold this way, but firewalls used to be computers that booted off a live CD. This in a way is even more secure than the flash memory used in consumer devices, because presumbaly there's a way to remotely flash these units.

As other people point out, this is not perfectly secure, because this doesn't prevent the device from loading software remotely and runnint it. However, it does reducee the scope for damage considerably: while you can't prevent data from being lost or corrupted, the real time consumer in recovering from a subverted system is bringing the system back up to a state where you can trust it. You can reboot the system back to its original state, then plug in your updated virus/spyware scanner and run it.

From a computer science perspective, you can't really "close" a system completely, any more than you can have an organism that runs without RNA: the fact that instructions and data are the same thing are at a deep level part of our very concept of what a computer is. Take a file in a fairly complex format, say Microsoft ".doc". What is that file but a program executed by the Word doc interpreter to create a visual representation of a document? What is Word but a specialzed compiler/interpreter for such programs? Thus, most of the non-trivial programs on an operating system are, in a sense, virtual machines. If any of these virtual machines have any kind of flaw, then a malicious programmer can get them to do things the user does not want.

If you're making a virtual machine, you want to limit what programs running on that machine do on the underlying computer. Sun realized that when they sandboxed Java applets. The problem is that this is too restrictive to be popular with users. So you end up letting the user grant programs access to different resources. At that point, any vision of iron-clad security is gone, a victim of social engineering.

What a load of...

[Bin_jammin]

fun you must be to think up questions like that.

LiveCD Anyone?

[Daxster]

This sounds suspicously like a LiveCD or DVD of some sort of *nix variant - OpenBSD sounds good.

Here we go....

[Rendo]

Just face it, with the internet as it stands today, no matter what you do, there will always be cases of viruses, malware, spyware, adware, etc etc. The only way to really not be affected by this is to NOT use the Internet which in the corporate world is basically a no no. Maybe have a couple of machines that use the Internet when needed and the rest on the server are dead to the net.

Re:Wouldn't a live CD do this? Nope

[JumpSuit+Boy]

You can install software on the livecd. It only exists tell the ram is wiped (restarted) but is runs just fine.

Windows Group Policy

[Ececheira]

Windows has long been able to do this via Group Policy. You can specify that only programs signed with specified Authenticode keys can be run, effectively locking the system. Since all OS files are signed by Microsoft and anything a corporation would need could be signed, then if a corporation wanted a locked-down box, then they'd just specify the allowed keys and block everything else.

It'd be a huge nuisance but it's possible today.

Re:Windows Group Policy

I seem to remember doing something like this in NT4 years ago.

Locking down workstations is sooo admin 101.

On Linux I mount anything user writable as non exec - ok there are ways for a user to get around this but it is good enough for us.

Re:Windows Group Policy

[woolio]

Interesting, but what happens when you want to allow an unsigned program?

And what happens if it wants to update itself (like Acrobat Reader)?

I'd use it

[Wizarth]

For office use, a linux distro (such as Debian or Ubuntu) which allowed you to specify the repositories, and not allow modification of the list, would work just fine, in general.

System admin's would only allow updates from the offical repository, with a local repository for mirror/caching and business specific software packages.

I use something like this for my relatives. Give them a linux, don't give them root, make all updates/installations go through me.

Then print out a poster for my door "setup.exe will not run on your system" ...

Re:I'd use it

And who prevents them from installing things in their home-directory, smartass?

Re:I'd use it

[19thNervousBreakdown]

mount -onoexec dipshit

Re:I'd use it

[morcego]

"noexec" is completely useless.
Just do: /lib/ld-linux.so.2 YOUR_PROGRAM
and you can bypass noexec.
Not to mention shell scripts, perl etc etc.

Re:I'd use it

[batkiwi]

Step 1: download a statically compiled binary
Step 2: run said binary from your home directory

Re:I'd use it

[dp_wiz]

Omg, what a hole...

Re:I'd use it

[19thNervousBreakdown]

From man mount (eww):

noexec Do not allow direct execution of any binaries on the mounted file system. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)

On the subject of the CD Rootkit...

[GhaleonStrife]

Think about this: If that database included the infamous Sony rootkit as "allowed" due to them laying pressure on whoever maintains it, doesn't it render the whole thing pointless?

Re:On the subject of the CD Rootkit...

[bersl2]

The whole shitstorm over "Trusted Computing" and this are essentially the same topic, and the issue is who has control over the access control list, the user-administrator or some other party. The feature can be used for good or evil, for lawfulness or chaos, just as with any other tool.

Re:On the subject of the CD Rootkit...

[CaptnMArk]

Exactly. Trusted computing is not trustworthy as long as it's Microsoft (or Apple or anyone else) that only has the keys.

I want to choose myself who I trust or not.

Re:On the subject of the CD Rootkit...

[Kjella]

Think about this: If that database included the infamous Sony rootkit as "allowed" due to them laying pressure on whoever maintains it, doesn't it render the whole thing pointless?

So your argument is basicly that because trust can be misplaced, there's no point in having a trust system? Let's remove the classification system because the joint chiefs could be Al-Quaida members. Let's remove all digital signatures because the signing key might have been compromised. The point is who to trust, and also look out for misuse of the word trust. For example, TCPA software is less trustable from a computer security point of view because it can't be audited. For example, I trust the debian signed packages, in the sense that they're official packages of the software and not trojaned versions. Of course, the maintainers of the package may install a trojan but that's a lot less likely. Trust rarely works in absolutes, degrees of trust is the norm. Being on that database would be one of these levels, though honestly I don't see the big problem in corporate environments. Don't give users admin rights, install only serious software downloaded or bought from official sites. I think the actual number of rootkit cases where those procedures are followed are almost zero.

Re:On the subject of the CD Rootkit...

[jafuser]

My first thought when reading this article was that it was meant as a roundabout way to bring up the subject of Trusted Computing.

For those who haven't seen it yet, this is a very concise video to show to your friends and relatives about Trusted Computing - http://www.lafkon.net/tc/

code isolation

[TheSHAD0W]

This would be "mostly secure", but unless strict data-space separation would use it might still be vulnerable to a buffer overflow or similar attack that would allow arbitrary code provided as data to be executed. The attacker would use this opportunity to establish a "beachhead", modifying whatever integrity-checking system the OS is using to allow it to continue to exist.

Re:code isolation

[jdhutchins]

Obviously there will be some kind of attack, no matter what the system. I think the question is mostly dealing with malware and trojans, stuff that doesn't try to break it, but relies on user stupidity.

Re:code isolation

[bursch-X]

relies on user stupidity.

That's the cracking point. So why don't people rather try to employ people with a brain? That might save costs beyond all the trojan issues etc. If businesses ask for stupid monkeys they get monkeys.

Re:code isolation

[Vo0k]

because of stupid monkeys doing the recruitment?

Re:code isolation

[bursch-X]

I'm afraid the stupid monkey, more often than not, sits in the CEO's chair. And you know how they hate it when their employees are more clever than they are...

Re:code isolation

[twistedcubic]

Because people like to get paid to use their brains.

Question moot.

[The+MAZZTer]

"If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need',"

Considering that is impossible, the question is pretty much moot, isn't it. I am always going to find more needs for things, and chances are I'm going to need a new piece of software. Even if an OS shipped with "everything", new things are invented all the time. Maintaining a "Closed OS" to allow for new things would be difficult, and to keep it relatively up to date even more so... but then it wouldn't really be closed if new stuff kept getting added to it...

Re:Question moot.

[skiflyer]

Sure for you... but what about your publically deployed kiosk... or your call center desktop or whatever. Definitely plenty of applications for such a deployment, I think it's just that this is already accomplishable using read only partitions/live cds/etc.

Re:Question moot.

[jam244]

Sure for you... but what about your publically deployed kiosk... or your call center desktop or whatever. Definitely plenty of applications for such a deployment, I think it's just that this is already accomplishable using read only partitions/live cds/etc.

Even better... boxen designated as Top Secret could benefit from this. Think Raytheon, Lockheed, Northrup, etc.

Re:Question moot.

[jbarr]

A business could certainly define "what it needs" and then actively regulate and manage additional needs. It's just a matter of enforcement of the basic rules and not caving to the whims of vocal and pushy users. The real challenge is making the hard decvision as to what the company really needs, and sticking to it.

Depends on the distribution..

[SpookyFish]

If the group responsible kept up to date by adding "certified" software to keep up with the "joe average" software needs, this could work.

As someone experienced who regularly uses Linux and Winderz (only with FFox and otherwise properly locked down), I wouldn't use it -- but I would likely switch the parents and other non-savvy friends and family to it quickly.

Interesting idea.

Treacherous Computing

[jZnat]

This is exactly what Microsoft would like to do with Treacherous Computing, although the issue would cover things like security from the user rather than for the user.

Re:Treacherous Computing

[MaverickUW]

I hate to say this, but while the idea of security from the user instead of for the user, sounds insane, it's probably very needed and very valid.

I've done some freelance computer work for people who don't know all the technical stuff about computers. This normally relates to spyware/malware/virii/etc. The grand majority of the spyware and malware is self installed. Downloading cutesy screensavers or cursors or backgrounds that come with all manners of desktop search, search bars. When you have a Athlon 64 3800+ with 2 GB of Ram and 10,000 RPM SATA drives in a raid array slowed to a crawl because of too much crap (with antivirus and antispyware software installed, something is wrong.

I've even seen half the spyware removing programs that show up as spyware themselves in AdAware!

We're getting to a point where security FROM the user is almost if not more important than security FOR the user.

Re:Treacherous Computing

[3vi1]

I have to disagree.

Security FROM the user is fine, until *I* can't turn it off and run the programs that I wrote. And no, I'm not going to spend $50,000 to buy a signed network management package that includes a haphazard partial-implementation of the one feature I actually need.

But there's the rub: if you can turn it off, or bypass it via a click-through warning, most people will - especially when the screensaver site gives them instructions on how to do it.

Linux distributions already sign packages with keys. If you add new sources to Ubuntu, you also have to import the associated keys. How does having a company, instead of me, decide which ones should be trusted provide any value?

If a closed system only provides value to people too stupid to own computers, it provides no value at all: stupid people don't buy the right product for their need anyway. The only way to make sure they buy the right thing is to eliminate all the other choices, and free software with them. That will never fly, because almost every company in the world needs at least one in-house-developed piece of software for some purpose.

Smith-Corona to the rescue!

[Onan]

Yeah, turns out somebody was doing this for kind of a while. Called them "typewriters" or somesuch.

Really, much of the value of a computer lies in the fact that it's an extremely versatile device. Choosing to discard all that, and believe that you can know ahead of time every single thing you will ever want to accomplish with it, seems like a pretty bad deal.

Re:Smith-Corona to the rescue!

[bcat24]

But there are some people who use a computer for nothing more than word processing, web browsing, and email. A "closed off" setup might work for them.

Re:Smith-Corona to the rescue!

[TheGratefulNet]

But there are some people who use a computer for nothing more than word processing, web browsing, and email

anyone remember the I-opener ? that was a closed (qnx) turnkey just-does-this-and-no-more system.

I don't think the company lasted long, though. too many people (myself included) bought the boxes for $100 and hacked them to get linux and win95 on them. ahh..

but the idea was kind of ok, for some people. and there was NO way to get viruses or problems when you aren't even running a real multiuser o/s like that.

oh, and it had a pizza key. a pizza key. wow.

(I still have that i-opener. I can't even imagine what a pent-120 class machine could be useful for, today, though. it wasn't even a real cpu, it was some cyrix animal, pretty feeble even for its day).

Re:Smith-Corona to the rescue!

[PaulBu]

anyone remember the I-opener ? that was a closed (qnx) turnkey just-does-this-and-no-more system.

Well, throw in a WiFi chip into it, shrink to 1/4 of the size (1/8 of the volume), as allowed by tech now, and I would not mind carrying such a beast around! ;-) I guess they used to be called 'Palms', or some such, in the earlier days...

Seriously, a no-nonsense portable connected device - what can be wrong with it?

Paul B.

OS X

[mattjb0010]

already does this. See here, under "Application Access: You Decide". You can set up another user account for yourself (not just any children) which would be protected. I'm pretty sure Windows has similar things (not sure if you need 3rd party software to do this) and as mentioned, there are live CDs of Linux/BSD/etc.

Re:OS X

[zaliph]

A T-rated video game such as World of Warcraft may be great for your teenage daughter, but you may not want your six-year-old to play along.

If you want to get any peace around the house you will. Apple Provides, You Relent.

Re:OS X

[IntlHarvester]

OS X's Application Controls isn't anything close to being "secure" -- It's implemented on the Finder rather than the OS level and can be bypassed by any convenient scripting environment (Applescript, MS Office, etc).

Already exists!

[NineNine]

As far as I'm concerned, Ubuntu and the other Linux'es are already this. I never figured out how to install *anything* on the damn things. If it wasn't in the catalog, then you had to be a full-time dork to get it working.

All in all, the experience wasn't bad. There were some good programs in the list. However, maybe just because I've been around PC's for so long, there are certain programs that I wanted to use, and was frustrated that they never worked. I don't know if this would bother regular people.

The only problem with this is sometimes (often), the catalog titles didn't even work right, then you're stuck with no alternative, and a new, expensive doorstop.

Suffice to say, I now use Windows.

Re:Already exists!

[pete6677]

Good point. Not too many office workers or malware writers will install software when it requires recompiling the damn kernel!

Same thinking?

[JayTech]

Isn't this the same exact thinking behind the TCPA planned by Microsoft & Co? Where only "licensed" software would be allowed to run? Doesn't sound like a bright idea to me, in fact it sound pretty scary.

Re:Same thinking?

[sqlrob]

It depends on who controls the keys.

If the vendor controls the keys, yes, it is scary. If I do, no, it is not.

Re:Same thinking?

[vegetablespork]

If the vendor controls the keys, yes, it is scary. If I do, no, it is not.

I guarantee it won't be the owner who controls the keys. Thus, it's scary.

Re:Same thinking?

[heinousjay]

Not to cast aspersions on you personally, but your guarantee in this matter posted on Slashdot is worth the price of the bits that carried it to my screen.

Re:Same thinking?

[vegetablespork]

My guarantee is based on the obvious. Are you asking to make it a bet? How much?

Re:Same thinking?

[sqlrob]

That depends on the implementation. It should be (relatively) simple to make a Linux that only runs signed executables and is given the public key at build time (if such does not already exist), with no key present by default.

I would have no problem compiling something like that and using it if I needed that level of security.

No. - Re:Wouldn't a live CD do this?

[jdogalt]

No. LiveCDs do offer read-only system images. But they do nothing whatsoever to prevent other programs from being run. I.e. programs downloaded from the net, autorun(or manually) from cd. LiveCDs get you the benefit that each reboot resets you to an known state. That is quite different from an OS which only allows programs from a blessed whitelist to execute. One scenario might be the discovery of way to remotely log into the system. In the livecd case, the attacker can now run whatever program they want, and likely regain entry in an identical fashion should the system be rebooted. What the author of this post is interested in, is a system what would not let the attacker with remote login be able to execute any code not on the blessed whitelist. Now mind you, the idea that such a system would be 'invulnerable' is ludicrous. The XBox seems the quintessential example of a system which tried to achieve this design goal. My XBox currently runs ssh, freevo, and any executable I want, proving it is difficult to achieve a successful implementation of such a design. -jdog

Re:No. - Re:Wouldn't a live CD do this?

[secolactico]

The XBox seems the quintessential example of a system which tried to achieve this design goal. My XBox currently runs ssh, freevo, and any executable I want, proving it is difficult to achieve a successful implementation of such a design

Yes, but you had to go out of your way in order to achieve this, right? That is, it's not something that happened because of soemething you downloaded off the net did away with the "protection" MS had installed originally in the machine. (Besides, as far as I know, only the bootloader needs to be on the blessed list).

Of course, everything is fallible. And besides, if every single executable code had to be signed and verified, how expensive in terms of CPU time would that be?

Re:No. - Re:Wouldn't a live CD do this?

[jdogalt]

"Out of my way" is as vague a phrase as "should". Yes I had to follow some instructions, but technically I'm also following instructions when I dial my phone.

Yes the bootloader only needs to be on the blessed list, but in the absence of a blessed bootloader which allows arbitrary code to execute...

To your last point, signing and verifying every executable is not a heavy CPU tax. The real issue is the granularity, and if you can prevent any excutable which intentionally or unintentionally allows arbitrary external code to be executed from getting blessed.

Re:No. - Re:Wouldn't a live CD do this?

[shadowmas]

The XBox seems the quintessential example of a system which tried to achieve this design goal.

I never thought i'd see the day when a microsoft product would be quintessential example of a high security system :)

Re:No. - Re:Wouldn't a live CD do this?

[itwerx]

The XBox seems the quintessential example of a system which tried to achieve this design goal. ...I never thought i'd see the day when a microsoft product would be quintessential example of a high security system...

It's not.
      Re-read the parent post - MS tries to achieve a great deal, they just happen to fail miserably a great deal of the time.

(Ba-da-bing! Thanks folks, I'll be here all week! :)

Re:No. - Re:Wouldn't a live CD do this?

What is an executable?

No, the question is not a joke: What would such an OS do with Active-X and Java? Ok, they support digital signatures and let's believe such a system would work.

And JavaScript? It's clearly executable, but would it be blocked? Who would use such a computer when 50% of websites are not viewable without JS? Not to mention sites that only exists in the form of one SWF file...

On a server, JS would not be needed, but usually one needs customization in terms of scripts a.s.o. If the admin could self-sign programs (and would be so careful to only that with programs he wrote himself and where he is sure that no malware is included) on a second machine, that could work.

Re:No. - Re:Wouldn't a live CD do this?

[gurps_npc]

You are missing the point. The basic idea is that you don't run stuff except what the manufacturer run. That pretty much means NO web surfing. OK, you might be able to do some minor stuff, but forget about Active X and Java and every thing else that requires a plug in or anything else.

Currently 95% of the malware that exists comes into your system via the web, so the fact that a truely secure system does not let you use the web should not be surprising.

What he is talking about is something that works great more like an embeded system. You don't use your car's diagnostic computer to surf the web.

Vista + 'DRM' Hardware

[nuxx]

Huh. Imagine that... Something which can be done by having a Microsoft OS set to run only signed binaries while running on top of a 'trusted computing platform'.

As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the apps we specifically approve and sign. This would lock out all unapproved software *and* malware. If the OS is secure enough to keep there from being any ways around this, it'll be ideal.

Oh, and of course, as long as such trusted computing stuffs can be turned off for users who purchase the hardware and don't wish to use it, it's a win-win all around.

Re:Vista + 'DRM' Hardware

I expect you'll be busier than you think signing software once you get what you've wished for.

Re:Vista + 'DRM' Hardware

[the_womble]

As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the pps we specifically approve and sign.

Why can you simply not give users admin? Am I missing something?

Its been a while since I used Windows but I can remember working at places where we had to phone IT to get stuff installed because we did not have admin. Is my memory at fault?

Re:Vista + 'DRM' Hardware

The problem isn't installing stuff, the problem is being able to run something that's been downloaded. You could even copy and paste a program if you're good enough. That's how lots of malware starts to run.

dom

Too far?

[svunt]

If you're going to consider limiting users that much, why not simply disable web access or cd players, usb ports etc? I think ultimately, there are several ways to keep a machine safe from intrusion, but it's a compromise for most of us ... functionality vs security. If you want to tilt towards security, in-house systems, disabling activex controls, java, admin access etc are all effective to a certain degree, but much like your concept, sound extremely limiting. I mean, secretaries don't need any software other than pre-installed stuff? Right, what happens when said secretary needs to open an emailed document that requires a reader? It osunds extremely inflexible at a time when flexibility can be very important to businesses. If you wanted to be secure, you could also go back to paper & pencil, registered mail, and pay your bills by armed stagecoach.

Re:Too far?

[lanswitch]

secretaries don't need any software other than pre-installed stuff? Right, what happens when said secretary needs to open an emailed document that requires a reader?

Flexibility is not a problem. That emailed document will render just perfect in her web-based email. The only upgrade needed would be on the webserver.

console?

[minus_273]

Anyone else think this sounds a lot like the xbox 360? encryption keys and all.

Secretaries and scripts

[Dannon]

Just about every office I've worked at so far has a certain number of menial computer jobs that are unique to the job setting. And many of these menial jobs have been passed off to the secretary. And many times I've been asked to come up with a little push-button application, macro, script, batch file, or something, just to make the job easier.

And as a software developer, there's just no way a completely closed system is going to work for me....

Have had it for almost 30 years!

[JoeCommodore]

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.

Re:Have had it for almost 30 years!

[moosesocks]

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.

Well, yes.... but the problem with the Apple ][ was that this was the sort of behaviour Woz encouraged. There was an entire industry dedicated to producing hardware devices that provided functionality that the OS would otherwise not allow.

On a more serious note, this was definitely a concession to the fact that the processors of the day just weren't able to perform many specialized tasks, which could have been otherwise been accomplished via simple circuits. By providing a ridiculously simple hardware interface, the designers of the ][ (mostly Woz) ensured that the machine could perform tasks (albeit not out of the box) that their more expsneive competitors couldn't even dream of doing. Today, this is no longer necessary, and we are gradually seeing every hardware interface controlled entirely by software, and expansion slots disappearing from desktop machines. Expansion devices today generally perform very little logic of their own.

Re:Have had it for almost 30 years!

[pyrrhonist]

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.

Oh yeah? After booting Apple DOS 3.3 type the following at the AppleSoft BASIC prompt:

POKE 47616, 96

Now you can't read or write to a disk. Now that's malware!

Free karma if you can name what routine I disabled.

Re:Have had it for almost 30 years!

[vga_init]

I don't know how you got modded insightful for your comment; I have an Apple ][e sitting on my desk and there is absolutely nothing bullet proof about it. In fact, the hardware is designed to load and run software stored on a diskette immediately after the system is loaded. Since the system is stored on a ROM, there is no way to change this behavior--you call that secure by default? The software being loaded can do ANYTHING to the system at will. Nearly all DOS virii were spread this way.

Secondly, once the system is loaded, any user can access a command prompt immediately from which they have unrestricted access to all system resources: disks, memory--you name it. One wrong instruction (or right, depending on what your goals are) can corrupt the system irreversibly until you reboot, and maybe even trash some disks. Malware aside, even normal user programs do this accidentally! Once an old Tandy of ours had the file system on its disk corrupted entirely by a game. Just because the system that's being loaded off of the ROM can't be altered, that doesn't mean the system isn't extremely fragile and insecure after the ROM is loaded. Your data (the most important thing) is still at risk, and malware can have its way with you much more easily.

With more modern operating systems, scenarios like this are becoming harder and harder to imagine since usually user apps don't have this level of access, but not so with the machines you're referring to. The question posed in the article is asking for a step forward in one direction, and you're advocating 30 steps backwards.

Re:Have had it for almost 30 years!

10 ? "^DPR#6"
SAVE HELLO

Re:Have had it for almost 30 years!

99E99 ?

Re:Have had it for almost 30 years!

[JoeCommodore]

I didn't say Apple ][e, I said Apple ][, you know ROM Applesoft basic, cassette port, etc.

Re:Have had it for almost 30 years!

[vga_init]

The Apple ][e also loads BASIC from the ROM. It also has support for the casette storage, but I don't have any drives for that! You would be right to point out that casette drives are slightly more secure than the diskette drives (none of that autoboot stuff).

Re:Have had it for almost 30 years!

[JoeCommodore]

I could just see the prompt after a virus infection,

Program has been modified, please rewind tape, press record then hit [RETURN].

I'm sure even back then some poepl would do it.

Though on most of the programs for the TRS-80 and PET you had to cycle the power to clear up the registers (bad programmers at thier worst) so there was very little chance for a virus to spread.

Re:Have had it for almost 30 years!

[bcrowell]

Totally wrong. In the case of the TRS-80, for instance, you could choose from a variety of operating systems. You could run CP/M on a TRS-80 (although you had to have a hardware mod, because CP/M refused to be relocated at any address other than 0). You could other third-party OSes such as NEWDOS 80. You could also run any apps you felt like running -- which might have meant (a) typing it in from a listing in a magazine, (b) loading it from a cassette tape, or (c) loading it from a floppy.

Why not CD Boot?

[loony]

I don't quite get the point... If all apps have to be signed before install, then you have a point of attack. Intercept communications, fake checksums, attack the OS providers server, ... wouldn't be much more secure than anything else.

Wouldn't it make more sense to go back to the live cd concept... You pick everything you need and then make a bootable cd out of that. We did that 10 years ago - was a lot of work but worked great. I'm sure over the years people have written better scripts than the hacks we did back then - but basically you would make a chroot filesystem, put all your apps and do all your testing until stuff worked. Then we created a boot floppy and out of that and the content of the chrooted filesystem, we made a bootable cd. That went into the production server (a high profile site back then that drew tons of attacks) and if the box got hacked, they still couldn't do anything with it.

That way you have 100% security from the point you were looking at - while still maintaining the ability to add/remove/modify things yourself as you need them...

Peter.

Re:Why not CD Boot?

[DrSkwid]

> if the box got hacked, they still couldn't do anything with it

except run any program they choose and have it run until next boot, on a high profile site with plenty of uptime.

An OS without any 3rd party apps...

[FreeMath]

You mean like a Mac?

Re:An OS without any 3rd party apps...

[jimktrains]

I'm not exacly sure why this was modded funny. It should have been flamebait.

http://www.apple.com/downloads/macosx/

Re:An OS without any 3rd party apps...

I'm not exacly sure why this was modded funny. It should have been flamebait.

Maybe because it's a joke?

The Linux base LTSP system fills the bill

[swaha]

Check out the LTSP system.
With all the applications based on the server, and no program load allowed it can be just that.
It is very popular with schools.
http://desktoplinux.com/articles/AT3124052951.html

Re:The Linux base LTSP system fills the bill

[gd23ka]

I checked out the pictures of the "Grace Lutheran" case study and it creeped me out. I don't
like seeing kids in uniforms.

No.

Sane corporate environments don't allow users to install anything anyway. Non-root user accounts exist for a reason. Most OSes allow you to prevent executables from running from user-writable areas (e.g. in linux, mount /home noexec (see man mount)).

Your database would have to be tied to specific versions of the software to prevent new features breaking your previously cerified model. Of course, this database would prevent you from installing security fixes until the security fix was approved by the DB maintainer. You would have to ensure that the applicaitons that you trusted came from a specific source and matched the configuration that was tested, and if you've done that, you might as well supply a package format that can verify the contents and identity of the file to the database. It'd be nice if you could also provide license and dependency information, etc. Congratulations, you've just invented RPM, or APT, etc.

Re:No.

Also, as pointed out by others, signed-only apps are no guarantee of security. See the X-Box's multiple software-only exploits. You only need one application to be exploitable. You can mitigate this risk but you cannot avoid it.

Why not instead.....

[ezratrumpet]

....limit a machine to only outgoing traffic? That would let you use an office suite and send (but not receive) email.
 
Downside: you'd have to use a CD or flash drive to transfer documents on/off the machine. You couldn't receive email on the machine.
 
Upside: The only security risk would be by direct access.
 
Actually, the most secure machines probably aren't even password-protected. If the machine isn't attached to anything but a power cord, and the machine itself is inaccessible, then you've got a secure machine. If you're running Win3.1 or something, it might DIE, but it would be a secure death.

as a software developer...

[Xtifr]

...I would have to say no. At least not by itself. It's pretty hard to develop software if you can't install and test the software you're developing somewhere! ;)

As a component of a larger, networked system, which had parts where I could install and run the software I was developing, then yes, no problem. But alone, by itself, no, it would be completely useless.

Of course, there's still some interesting questions about this theoretical beast. Is it scriptable? I often have quick one-off tasks that are best done with a quick script. If I can't run one-off scripts, then it's not "up-to-scratch" and doesn't have "everything I need", and if it can, then it's not a completely closed, locked-down system. The only way around that, even in theory, is to have an infinite number of monkeys providing you with all the scripts you could ever need in advance, and even then, there's probably be some difficulty finding the script you need right now from that infinite number of scripts. (Not to mention the costs of the infinibyte drives needed to store all those scripts.)

Bottom line, I think the notion of a machine that does "everything I need" is about as realistic as those old concepts of an irresistable force or an immovable object. Nice for creating logical paradoxes, but completely silly otherwise.

Good idea

[mnmn]

Its a good idea, only it already exists. Kinda.

Take any Windows Linux or OSX system, and lock it down till its just a kiosk.

There you go!

This is also doable with a windows98 installation onto a CD. Knoppix comes to mind for Linux. I've also tried setting up a kiosk like graphic OS to go onto a compactflash card that acts as an IDE device. I needed newer apps too many times on it.

See, a FIXED OS needs to be configured seperately for each system since noones requirement is the same as anothers'. QNX, Windows CE, PalmOS and ucLinux come to mind. But Windows 2000/XP etc will work too.

Did you mean an OS DESIGNED that way? The act of installation is managed by the libc and scripts to place it in the right folders. Take away the permissions and remove the scripts that do the installation (Windows Installer) and you're there. Theres nothing more to redesign in the libraries or kernel.

It would be great if we didnt have pesky choices

[Gothmolly]

You know, all the products in the supermarket are really distracting. What I crave, as a product of modern USian culture and educational systems, is less choice. Why should I have to decide what to do? Surely someone could pick all the useful things for me. Maybe there could be some kind of vote, where we could all just agree to use what everyone thought was best. That would be a perfect world, with no cutthroat competition or need to worry about the future. Shouldn't I be free from worry and uncertainty?

not quite!

[Xtifr]

Windows fails both the "up-to-scratch" and the "everything you need" tests! But yes, I agree, it can be locked down, as can most other modern OSes (all of which also fail those two critical criteria--I'm not Windows-bashing here).

Re:not quite!

[Telvin_3d]

I'm not sure you can say that as far as the corporate world goes. By default, Windows and related programs is everything you need because that is what 90% of corporate enviroments are based on. That is not to say that nothing else is better or has useful features that Windows lacks, but simply that you can easily ahve everything that you need to run a fully sucessful office on a Windows, or even a purely Microsoft box.

Re:not quite!

[Goaway]

I agree, it can be locked down, as can most other modern OSes

Oh, so how exactly do you lock down Linux so that only signed software can be run?

Re:not quite!

/dev/hda1 /     ext3 defaults 0 0
/dev/hda2 /swap swap defaults 0 0
/dev/hda3 /var  ext3 noexec   0 1
/dev/hda5 /home ext3 noexec   0 2

Not quite the same, but the same result if you are careful about root.

Re:not quite!

[LLuthor]

/lib/ld-linux.so /home/me/whatever/binary

glibc needs a rewrite before noexec becomes useful.

Re:not quite!

[ocelotbob]

SELinux policies. You can configure SELinux to have a default deny to execute files that aren't on an approved list of executables, and also ensure that only trusted persons have access to change those files.

Re:not quite!

Again, this is closed as of kernels 2.4.25/2.6.0

Re:not quite!

[OmegaBlac]

As was stated before and if you bothered to read the man page for mount you would realize that this problem has been resolved--a few years ago! From mount man page:

(Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25/2.6.0.)

Please stop spreading outdated information.

Re:not quite!

[Goaway]

Not quite the same indeed. That doesn't let you actually run signed software. And it's got a security hole as big as your head waiting to happen. Leave just *one* directory outside of /var or /home writable...

real solution would be

[josepha48]

more of a diskless system.

You would have the OS installed on a flash memory drive. Either its in the system ( embedded like ) or its a plugin card like sd stick. Read only though. You have memory that you can use as program running space. You can save data to external system like flash drive.

Lastly, you would run applications from a second flash drive.

Think of a linux on cd kind of system ( or other os 0 with no hard drive, and you save your data on a flash drive. All programs are on the cd. You can only read and save data to the flash drive, but not run programs from it. You'd have to remove the command prompt, and a few things from a linux distro to do it though.

You still have to worry about phishing.

[Inoshiro]

Unless your system is 100% proven for all inputs (of the input classes you are using), there is the possibility that an attacker can feed an input for which your program's state machine does not halt (and, instead, goes into other states, perhaps escalating privileges or otherwise doing anything).

So this means you either have completely disconnected systems, or you only use things like Spin which are provably correct.

*groan*

[voice_of_all_reason]

...it could be highly useful for example in the corporate setting...


Oh, for fuck's sake! Don't give them any more ideas.

The extra cost of technology staff and the risk of a shittastrophe are nothing compared to abysmal employee morale. If you don't let 'em stroke off for a few minutes a couple of times an hour by going to ebay or playing snood you're going to end up with a resentful staff. And they'll produce awful, crappy work for you.

Re:*groan*

[dosius]

Employer: That's not what I fucking hired them for, they're here to work for me.

Me: I would leave the internal network detached from the Internet and remove all external sources of input except the keyboard/mouse, and put the OS on something read-only. Nothing gets in, nothing gets out. Works for work, not for play.

-uso.

Re:*groan*

[mOdQuArK!]

Employer: That's not what I fucking hired them for, they're here to work for me.

Employee: "Employer is an asshole. I hate this job. I wonder how much I can slack off without getting fired - hell, even if I get fired I'd be just as happy. I wonder if Employer knows about Joe embezzling company funds? Hell, it's not my money...who gives a damn about that asshole Employer, serve'm right to go bankrupt..."

Any employer with the attitude you have described is basically incompetent, and will receive the quality of services from their employees that the employer deserves.

Re:*groan*

[DrSkwid]

Access to the internet is NOT an entitlement at work.

At least not wher I live. Do you have internet terminals for employess at the gas station ?

Are the guys at the foundry revolting because they can't browse eBay while waiting for the steel to cool ?

Soft in the belly workers need to wise up.

Re:*groan*

Wise Up, eh?

So it's fine for the BOSS to come in at 8:37 every morning even though *YOU* are supposed to "wise up" and "be on time" by 8:01 sharp.

This attitude is all about "I hired you, I own you, screw you".

So the bright employees .. will leave, even if it takes them a while to orchestrate.

See the July 11 2006 article in the Wall Street Journal about abuse employers.

Re:*groan*

Isn't that the fucking problem? Everyone has a computer at home to jerk off with. People these days feel entitled to do personal shit
on their computers at work. I do it all day long, tons of stuff. Edit audio files, rip DVD's, copy CD's, IM, email, ebay, slashdot. I feel
like if I get my job done (desktop support...) I can fill the time in between with these things. But even the guys in the mailroom
are playing tetris or some new flash bullshit game. The guys at the helpdesk have taken to openly watching video (southpark, 24,
whatever) on laptops at their desks in between calls. If they would just pay people better they would work harder. The problem
is people are resentful that they are barely scraping by and don't love their job because of that. (I never see the $250,000 plus range
people jerking around at work, really...) Problem is, the economic system is built so that the people at the top have surplus money
at the expense of the people on the bottom.. who always need more than they can get. WAKE UP AND SMELL THE REVOLUTION!

Re:*groan*

[fishybell]

"stroke off for a few minutes a couple of times an hour" ?!!!

So 2-3 minutes, twice every hour, for eight hours. That's 32-48 minutes of jerkin' it a day: a serious personal problem, and definately not something I'd want my fellow employees doing during work.

Re:*groan*

[voice_of_all_reason]

I thought some people would read it that way, but I was actually quoting the episode of futurama where time starts skipping forward randomly.

Professor: "Did everything just jump around, or did my brain just stroke off there for a second?"

Re:*groan*

[DrSkwid]

yeah, wise up. If I am the BOSS I can walk in the office whenever I damn well please.

But that's not what "where's my internet?" is about.

Why not ask for a goddam TV on your desk ?

Not giving you internet access isn't "employee abuse". Jeesh

Re:*groan*

[LoudMusic]

...it could be highly useful for example in the corporate setting...

Oh, for fuck's sake! Don't give them any more ideas.

The extra cost of technology staff and the risk of a shittastrophe are nothing compared to abysmal employee morale. If you don't let 'em stroke off for a few minutes a couple of times an hour by going to ebay or playing snood you're going to end up with a resentful staff. And they'll produce awful, crappy work for you.

*** INSANELY OFF-TOPIC REPLY ***

Where I completely agree with your sentiment, I have to question when it became OK for professional employees to generally goof off and dick around for HOURS every day. We are some lazy sons-a-bitches.

Office Space (1999)

Peter Gibbons: Yeah, I just stare at my desk, but it looks like I'm working. I do that for probably another hour after lunch too, I'd say in a given week I probably only do about fifteen minutes of real, actual, work.

I'm not that bad, but I'm definitely not putting in 40 hours of work in a week. What has caused this? Is it purely computer / internet related, or have employees been wasting absurd amounts of company time for several decades?

What is so great about "OS-maker"?

[Sloppy]

I think it's fine (in some situations) some some central authority to be the one who decides what can be run on their computer.

What I don't get, is why the "OS-maker" would be that authority. Look at just who happens to be the OS-maker with the greatest marketshare, and ask yourself: should someone with that repuation for [in]security, be the one who is in charge? They practically invented the concept of having browsers that automatically install malware and media-insertion that installs rootkits.

Locking down computers? Maybe a good idea. OS-makers locking down computers? Sounds like putting the fox in charge of the henhouse.

Video game consoles

[philmack]

Video game consoles have been doing this for a long time. What you describe is exactly what an Xbox is... a computer with an operating system that only allows the user to run signed code (unless the users "get around" it... to show how viable this idea is) while only allowing the user to save documents.

Re:Video game consoles

Likewise for the PS3. Then again Xbox is worse as it is in the ROM and in the OS while the PS3's is in the level two OS (a guest OS to the hypervisor OS).

Hypothetical question: "lusers" as decoys

[Kadin2048]

Speaking as a user who understands their computer reasonably well and doesn't click on stuff just because animated characters tell me to, would this be a good thing?

If we (hypothetically) closed off the "stupid user" vulnerabilities that are the major attack vectors right now, wouldn't the malware authors instead just concentrate on other, more technical, avenues of attack?

Here's my thought: maybe having systems vulnerable to idiot users is actually a good thing for the informational ecosystem as a whole. They're more than just the canaries in the coal mine (although they serve that function, too), they provide a steady stream of marks for the virus/trojan/malware writers and phishing-scheme authors of the world.

If these people weren't able to basically throw themselves on the swords of their own stupidity on a regular basis, couldn't this just lead to smarter malware, which affected more of us (not just the stupid/ignorant)?

Malware authors are inherently lazy and opportunistic. While there are still lots of "the monkey told me to click it so I did" people around, and ways to exploit this idiocy, that's what they're going to do. They're not going to mess around with esoteric buffer overflows to steal your information, when they can just send out some fake PayPal emails and watch the data roll in.

Given the choice, I'd rather have the primary attack vectors be ones that rely on user stupidity, rather than technical flaws, because 0-day technical flaws are too 'egalitarian,' attacking both the clueless user and the experienced person without warning. Personally, anything that keeps the collective attention of the Russian Mafia focused on people too dumb to check the URL line in IE before typing in their bank account information is a good thing in my book.

I know this isn't a very nice sentiment to hold, but if there was some hypothetical way to remove user stupidity as a vulnerability (not possible, so this is all just a mind game), maybe we'd be better off not implementing it?

I'm not suggesting that we shouldn't attempt to educate people on good computing practices, but if people are too lazy or disinterested to become educated, maybe in their laziness they can do the rest of us a favor by acting as the collective decoys?

Re:Hypothetical question: "lusers" as decoys

[Neoprofin]

You could say the same thing about locking your doors at night making burglers smarter because they can't just walk right in.

There's a certain level of difficulty where it no longer becomes easy enough and profitable enough to be a malware producer, and if we could simply bring everyone up to that level I think we'd all be better off. Sure some of them would stay in business, just like some criminals have no issue kicking down doors and smashing windows, but a lot can be accomplished by eliminating so-called "casual theft" where valuables are just left out in the open.

Re:Hypothetical question: "lusers" as decoys

[Blue_Wombat]

I had an employer who went for the "stupid user - let's close everything off" business model, presumably because they thought it would save them on IT support costs. They ignored the howls of protest from we who basically knew what we were doing, used more than MS Office to do our jobs, and were used to having c:\drive and admin access to tweak the tools of our trade to work the way we wanted. (NB: we were mostly in relatively highly paid specialist roles). It saved them a bomb on technical support - I left, so did most of my colleagues, and there were virtually no staff left to support. Last I heard they were desperatley trying to recruit, and were in deep trouble with key clients because they couldn't provide the level of service and they were expected to.

Why?

[aoteoroa]

It sounds like going overboard to solve the problem. Like designing a house to be hurricane proof when you are building in Oregon.

Linux has long had the ability to be installed on read only media. So your dream system already exists.

Even windows provides enough security to solve the problem. Running as a standard user I feel my windows computer is fairly safe from browsers, rootkits installing themselves from audio cds, and loads of other shady software.

It's a bit of a hassel sometimes. I moved from one timezone to another and can't change the time on my computer's clock. It's been about 8 months now and I still haven't bothered logging in as administrator to change the time.

Xbox?

[ka9dgx]

Isn't this exactly what the X-box is? A closed, locked down system... which totally prevents the execution of third party applications.

Of course, it's not secure if anything running anywhere has the ability to modify the system files.

--Mike--

Too simple a model

[0biter]

This model is predicated on, I think, a fairly simplistic conceptualization of software. It seems to assume that one can draw clean borders between pieces of software, ie., that a webbrowser, a wordprocessor, or an image editor is a discrete unitary entity. The reality is quite far from the truth of plug-ins, extensions, proprietary data formats, competing standards, and the inevitable need to communicate with an external world that is constantly changing.

Not on my PC

[egarland]

I have no problems with this setup if the computer is my Cell Phone. My PDA could be setup to only run signed apps, that wouldn't bother me much. But my PC isn't really a PC without the ability to accomplish arbitrary tasks.

The concept is also flawed. Just because something isn't an executable doesn't make it not contain instructions that tell your computer to do something. Word macro viruses is a great example of this kind of problem. It's just a simple word processing document.. but it can also be a virus. The .mp3 and .jpg buffer overrun bugs are great examples of this too. A format that doesn't even include programability can be used to induce your computer to do something against your will.

This is not the answer to computer security.

Here's my solution. It's pretty simple.

I dual boot Linux and Windows.

I use Windows on the rare occasions I need it but Windows is NEVER connected to the Internet. Linux is.

Problem solved.

Seriously, this has worked well for me for several years now.

Sounds familiar...

[Arceliar]

You know, I think I have a computer made like this. It only runs software provided specifically for it and signed by the vendor's company. It's called an X-Box, and I use it to run linux. *Evil laughs*

Seriously though, think about it, that's essentially how the recent generations of game systems have gone. Specialized hardware with software built for one purpose, signed by the vendor so as nothing else can run. And as xbox-linux shows, there will always be ways to circumvent this without direct access to the hardware.

My advice would be steer clear of an actual livecd/dvd itself, due to the significantly reduced speed of such a system. In the case of linux, just go with a setup where the majority if not all of the filesystem is read-only to the user. Or beyond that even, have the main filesystem contain a loopback read-only filesystem. A great example would be Damn Small Linux, it can copy the disc image to the harddrive and it doesn't take a lot to set up a kernel to read from that on boot. And in that particular case, DSL is modular, so adding approved software doesn't take a lot of effort.

Another potential candidate would be something like dyne:II, similar to DSL in it's live and extensible nature, but it has a much larger software library to choose from by default.

Of course, users will always need to save their doccuments and such somewhere. Retaining the ability for a less-than-computer-literate user to perform basic tasks such as saving the vacation photos of their grandkids in an email attachment, while keeping the rest of the system closed off but still functional, can be quite difficult to do without accidentally leaving a door open which could let in something potentially malicious.

But then again, what is life without risk?

GPL 3

[Plautius]

So, I'm not meaning to troll, but a likely implementation is some sort of signing of the code that would be allowed to run and someone would have to hold the private keys. Is this against the terms of GPL 3? Would this be effectively like a DRM technology? My understanding of GPL 3 is mainly based on the threads on linux-kernel where Linus explains why he thinks that GPL 3 would be bad for linux. It would be interesting to see if one could have a slightly more flexible system where I could allow sign the code I allow as a method of virus prevention. Usually Ask Slashdots are pretty OT but I find this one fascinating.

Do you understand?

[Spazmania]

Do you understand the Secretary's job? I mean really understand it, the official and unofficial parts. Do you understand it enough better than she understands it so that you can build a computer that does all of the things she needs and wants it to do? And don't forget, it needs to do everything her boss decides she needs to do with it.

I'm not -that- smart and I'll bet that you aren't either.

There are places where a closed OS works. Think wireless router or Internet appliance. But the desktop? Not so much.

Symbian OS 9.1 for cell phones.

[S3D]

Symbian OS form v9.1 is very close to be "Closed OS" (pan intended). If application use any "capability"(for example camera API) - any but most basic functions, it should be signed - endorsed by "test house", which have license from Symbian itself. Third party applications still possible, but only from certified developers. So if Symbian v9.1 will be any success there will probably be more closed OS in future.

Re:Symbian OS 9.1 for cell phones.

[James_Duncan8181]

To be fair, I have just purchased a Symbian phone and the option to install unsigned apps is toggleable. And I'm glad it is, someone ported Putty.

Application signing is not a silver bullet

[bit01]

There's nothing special about application signing. Making your existing read-write partitions and any mount no-execute is the equivalent of saying all existing applications are signed and no others are and would solve this problem.

Application signing can be compromised just as much as the above. If done properly it does give an extra layer of protection.

You might say that one difference is that application signing can be done remotely so that the owner of the computer loses control but that's no different from the owner not having the root/administrator password.

Both can be compromised by physical access to the hardware though TCPA does try to make access to the key hardware hard.

Application encryption can block the owner from executing anything the encryptor has encrypted but that still requires the keys to be obtained from somewhere when the application runs, either the net or embedded hardware, and there is a potential hole if the owner can capture those keys.

---

Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

Seems to be a matter of reading 'man fstab' ...

[PaulBu]

... pay particular attention to noexec flag -- yes, one can configure his/her generic U**x system not to be able to execute anything off "other media" (including home directories) for what, like, 20 years... ;-)

Amazing what those guys back then thought of, is not it?

Paul B.

Re:Seems to be a matter of reading 'man fstab' ...

[mattyrobinson69]

Although you can workaround this: /lib/ld-linux.so.2 /noexec/mounted/partition/escalate_to_root

or more likely: /lib/ld-linux.so.2 /usr/local/bin/ksolitaire

Re:Seems to be a matter of reading 'man fstab' ...

At first glance, the fix seems to be: don't use an operating system that uses the crappy glibc libraries.

Re:Seems to be a matter of reading 'man fstab' ...

[ultranova]

Although you can workaround this: /lib/ld-linux.so.2 /noexec/mounted/partition/escalate_to_root

Compile everything statically and you can remove the dynamic linker and other libraries.

Re:Seems to be a matter of reading 'man fstab' ...

[autocracy]

Well, the good news is that ld-linux.so doesn't have suid / guid permissions on it, so "ld-linux.so escalate_to_root" won't work.

Re:Seems to be a matter of reading 'man fstab' ...

(Lex Luthor) WRONG!

from man mount:

(Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)

Re:Seems to be a matter of reading 'man fstab' ...

[Matthias+Himber]

The noexec flag will not prevent running binaries on other filesystems. You can run scripts even from a filesystem mounted noexec, you just have to call the interpreter explicitly (bash myscript.sh instead of ./myscript.sh). Until a short while ago, you could use this even to run compiled binaries, using /lib/ld<something>.so — this was only fixed in recent kernels. And you don't need compiled binaries to 0wn a system. Bash is powerful enough by itself, Perl, Python, etc are even better, and widely deployed. In fact, for UNIXoid oerating systems, they are better, since you don't have to worry about binary compatibility any more.

Re:Seems to be a matter of reading 'man fstab' ...

[SanityInAnarchy]

Who says there will be other filesystems mounted?

Anyway, this makes the problem much easier -- just use a shell that doesn't allow running scripts on a noexec-mounted filesystem. Linux is already very close to right on this -- the rest is just a matter of doing things like disabling JavaScript in web browsers, disabling macros in word processors (or chosing word processors that don't support macros), etc. Hard, but not impossible.

Much easier than starting an OS from scratch, or starting with one that doesn't support noexec at all...

Or another approach: Reset every now and then. Logout, kill all processes by that user, login again. If you deny write access to any rc script, that means that after every reset, you have to start over and somehow convince the user to click on whatever it is.

I think this whole thing is a bit silly, though. It's possible to be reasonably secure even on Windows, and on Unix, it's much easier -- out of the box, even. I don't see why I should have to turn the PC into a kiosk just so people don't have to learn how to use it. On the other hand, it always was easier to program a way around user stupidity than to assume you can educate users, and it's very dangerous to underestimate the ingenuity of stupid users.

Re:Seems to be a matter of reading 'man fstab' ...

[mattyrobinson69]

My point was that to prevent applications escalating their privilages, noexec is pointless, as somebody can just run their privilage_escalation app, bypassing the noexec flag

Re:Seems to be a matter of reading 'man fstab' ...

[Fulcrum+of+Evil]

So what? escalate_to_root is an exploit, so it doesn't need suid privs

Executable Management

[Constellation]

You are indirectly referring to the concept of executable management. The central idea here is to only allow trusted programs to run on the system. Under such a scheme the kernel would have a list of allowed programs (and libraries) complete with MD5 hashs etc. (to establish a chain of trust). When a program is executed the kernel would calculate it's MD5 sum (and sums for anything else that is loaded into memory) and the calculated sum isn't on the list then the program is not allowed to run. Under this scheme the users could "install" anything that they want on the system, but if it's not approved it doesn't run.

While a system like this would keep "bad" software from running on the system it is not a silver bullet (nothing ever will be), as someone will find ways around it. For example using an exploit in an allowed application that is already running.

There are also a couple of big limitations here, or with any system with the restrictions that you are asking about. First someone has to keep a list of the allowed applications, an update it regularly. This should be someone like the corporate IT department, it doesn't make sense to put the burdon on the OS vendor as you want the minimum set of applications on your systems and the OS vendor want the maximum set. Secondly this completely breaks software development, for obvious reasons.

I don't currently know of any operating system that implements these features.

Re:Executable Management

[firstnevyn]

There was work done on NetBSD to do what you're talking about the paper was presented at LCA2004 and is availible online http://lca2004.linux.org.au/eventrecord/LCA2004-cd /papers/18-brett-lymn-veriexec.html

I don't know where that work is at currently

Should be possible with Linux.

[Karellen]

Hmmm...with Linux, the only places that regular users can write to anyway is their home directory and /tmp. They need write access to those areas to be able to save stuff. Unfortunately, we probably can't stop them creating or downloading executables to those areas.

However, mount(8) has a great option - "noexec" - that can be used to prevent files from any partition being executed. If you put restricted users' home directories in /nxhome (no execute home) and mount /nxhome and /tmp as "noexec", that would probably do the trick.

mount w/ noexec

[Door-opening+Fascist]

You can mount filesystems with the noexec flag, which will prevent files from being executed. Have user directories mounted like that, and just have executables where users can't write to.

Always loopholes

[Spudley]

There will always be loopholes in every system.

To (mis)quote Morpheus, "It's a system, and like every system, it has rules. Some of those rules can be bent; others can be broken."

No matter how tight you try to make it, the malware writers will always find a way around it. They may use scripting systems (even this hypothetical closed system would need some sort of scripting capability), or they may find a way to circumvent the lockout mechanism, or any number of other unpredictable ways to get in.

Complete security is a fallacy.

Thin Client

[dltaylor]

In a corporate world, most users should have nothing but a thin client (without USB or FireWire ports). Not only can nothing be installed, but they can't "appropriate" any data, either, if the email outbound filtering is working. Data loss when a desktop crashes is minimal-to-none, with the data on an IT-maintained server. Thin clients CAN be built from diskless boot PCs, but it is often simpler to just buy them than do the research to figure out exactly which packages to build into an initrd image to support your corporate app's. It used to be possible to build diskless M$-Windows systems, but I won't have XP, so I don't know the limitations of it's ramdisk. One trick we used to use on di*kless Sun workstations after disk prices came down was to use a disk for /tmp and swap, rather than the networked drives. 'Could probably be done today with some CompactFlash socketed into an IDE port (something like this: http://www.acscontrol.com/Index_ACS.asp?Page=/Page s/Products/CompactFlash/IDE_To_CF_Adapter.htm).

Come and get your nice, big wooden horse...

[babbling]

What happens when a connection that you initiated results in you getting infected with malware that initiates connections rather than listening for connections?

For example:
- LiveJournal ads recently had problems with an advertiser setting their ad to some malware.
- MySpace videos very recently had problems with videos containing malware.

This is EXACTLY where my mind went!

[thecampbeln]

If you want what the poster suggest, you'd pretty much have an XBox/PS2/etc with a keyboard.

One of the many, MANY hazards with this would be having to buy a supported printer, supported network card, etc... as 3rd party software (and there by hardware) is excluded by definition.

As another poster has mentioned, wouldn't a LiveCD suffice?

BSD

[FullMetalAlchemist]

NetBSD has verified exec option, it doesn't prevent you from being exploited if the kernel is compromised though.
But NetBSD's kernel is extremely well written and as far as I've seen is the one with the best track record of all open source kernels.
Together with the Systrace (by NetBSD developer Niels Provos) you can build extremely secure systems that are super portable.

FreeBSD has similar functionality with its TrustedBSD framework.

I would say NetBSD or FreeBSD is your best bet.

Maybe you can make a Linux install with a subset of the same functionality through SELinux, but I dubt it will be as nice as the NetBSD route.

Yes, but not from the OS vendor.

[Jerk+City+Troll]

Why not a list of programs you control? Why does some third party have to decide? Your secretary example demonstrates the need for this, as your OS vendor might decide (and rightfully so) that HL2 is a valid program which can be run. So really, it has to be up to your needs otherwise it is pointless. Furthermore, we already have software which can be used to implement this.

Re:Yes, but not from the OS vendor.

[DaveV1.0]

The weakest link in any computer system is the user. That would not stop people from installing, knowingly or not, malware.

Re:Yes, but not from the OS vendor.

[Jerk+City+Troll]

Sure it would.

Really this is not what you want

[hey!]

What you want is a system that will only run crytographically signed binaries.

However -- like anything else the devil is in the details, or particuarly, in one detail: who controls what apps the OS will run. If it is an OS vendor, that vendor will see that control as a source of revenue, or worse: a way of gaining strategic control over its users (i.e. stay with us on the upgrade path or bad things will happen) or vendors.

Really the owner of the computer should decide who to delegate the job of deciding what to trust. This could be your IT department, or maybe a professional support service (possibly bundled with your ISP service), or your great-nephew whose claim to fame is a four digit Slashdot id.

Re:Really this is not what you want

[DaveV1.0]

Cryptographically signed by whom? What is to prevent cryptographically signed malware?

Re:Really this is not what you want

[hey!]

Well, one way would be to have it cryptographically signed by the vendor, and then that signature signed by you or whoever you delegate the task to. That way you could have a completely decentralized system without the need for a global root certificate authority.

Not possible or desired

[harris+s+newman]

Without the ability to program the computer, it's usefulness would just go away. What if you want the computer to do something multiple times, telling it to do it more than once is by definition programming it, and as such violates the requirement presented. It just won't happen, the hardware would become a brick.

Let's not forget...

[hummassa]

That it's always possible to teach old programs new tricks :-) like exploring buffer underruns or macro/scripting capabilities or borderline behaviour of many kinds.
Such a system wouldn't be invulnerable at all -- just the fact that you _must_ have some way to upgrade the software (to plug any left holes) opens way to new holes... vide the PSP (2.5/2.6 already hacked, 2.7 probably on its way)

Not really

[hummassa]

What I understood is that locking your doors (or putting an alarm system in your car) makes the thieves go for the unlocked doors (unprotected cars) because they're lazy, right? So, if _you_ lock your door and there is a _lot_ of lusers who use windows^W^W leave their doors unlocked: thieves will become dumber because they will go for the lusers and leave you alone AND for the foreseeable future they will leave you alone because they became dumber. So, no, when you eliminate "casual theft" you are in general upgrading the thieves IQ.

Re:Not really

[Kadin2048]

This was a good analogy to the point I was trying to make.

I guess the corollary here would be if you could install automatically-locking doorknobs on everyone's houses, so that even people too dumb to lock their own doors when they left the house had a minimum level of security, wouldn't that make it more likely that you -- a conscientious person who does remember to lock their door -- would get broken into? Before, the criminals are going to go for the easy targets; if you make them harder, then the criminals are just going to pick someone at random once they get a little smarter, and that person they pick could be you.

I'm not suggesting that anyone actually downgrade their security (so in the analogy, I'm not suggesting that you stop locking your door), just wondering whether if there were a hypothetical way to eliminate human stupidity as a source of vulnerabilities, if this wouldn't make the playing field more level, and thus put non-stupid people at greater risk.

Re:Not really

But if the security level is too good, how will my fascist government be able to sneak-in when I'm not watching? :P

Re:Not really

[RMH101]

..the trick here is keeping slightly ahead of the average. It's like a herd: you don't want to be the slowest, most tempting target. So you lock your car doors. When everyone locks their doors, you lock yours with a high-security lock and maybe an immobiliser. When everyone else does this you look at having a Tracker or Lo-Jack fitted...

Whoa!

[hummassa]

Palms are flexible, loads of software can be downloaded and installed and executed... You must be thinking of the PSP, but even that machine is hacked nowadays (=2.7 via modchip)

Windows Does It

See this previous comment. I have used this method (in conjunction with LUA accounts) to lock down Windows XP PCs at an internet cafe. It works pretty well IMHO.

Payola

[Wubby]

The word that comes to mind for me is "payola". The only thing you will get for download is software that is sponsored. Pay the "vendor" the right price and they will certainly "certify" your app. And if it's all proprietary, I doubt anyone but the software developer will REALLY know what's in the code. It's an idea that just has too many exploitable flaws to be "A Good Thing(tm)".

Ok, "payola" is not the right word, but it's what comes to mind. A sponsored work that is not presented as such. It would happen. The idea that we can trust a organization whose motive is profit is asinine. It's something that seems to need to be re-learned with every generation.

Won't Work

[hahafaha]

This won't work. How do you define ``program''. If ``program'' means an executable, then you have a problem. Suppose one of the whitelisted applications was perl. In that case, you run perl with your file and boom! You have a program. And the computer can't even figure out that the Perl script is a program, since it does not understand it.

And there are tons of others as well. No interpreters? Fine. You can use Excel macros for God's sake!

Worthless!

Thats a feature to protect children (and maybe Apple fanbois, since they have the same IQ). Against a malicious attack, it would not stand a chance. Its like leaving a sign saying "Do not steal" on your car to prevent it from being stolen.

SkyOS

I am supprised noone has mentioned http://www.skyos.org/
While not purely "Closed" it is a commercial OS that runs only what has been programmed just for it, all which is included in the OS

Linux + grsecurity + a few creative tricks

[Enleth]

That's not a problem, I did set up some public school terminals recently, with every user having their account. The terminals are netbooted with a read-only rootfs (NFSv3), home directories are mounted read-write trough a PPPoE tunnel authenticated with the users's login and password (= only the active users's home directory is mounted), and, the most important thing, the system is equpped with full grsecurity framework, ACLs, TPE (Trusted Path Execution, simply the user is unable to run anything that I didn't allow him to), restricted scripting languages and a few more simple tricks. That, and KDE running with some kiosk options turned on, makes an unbreakable system, at least as long as the users are not Mitnicks - and, in the least likely case of a break-in, even every single exec() is logged off-site, just waiting to print it and hand over to the headmaster (or, had it been a company, the boss). Of course, the system won't even run when there's no connection with the external logging daemon, so unplugging it for a few minutes to hide something won't do.

Do shared libs need to be executable?

[autocracy]

There's the infamous ld-linux.so workaround for -noexec mounts... but does ld-linux.so really need to me +x if it is only called (legitimately) by other executables? I don't really have any place I can test this theory at the moment...

Weird side effects..

[faedle]

The only flaw (not really a flaw, but an unintended side effect) with this is that the user's .bashrc and the like will not be executed, since these are essentially shell scripts that generally need execute permission. But, other than that, it should work...

Its called Citrix

[secret_squirrel_99]

We alerady have this. Citrix and winterminals. The users get only the applications published by the admin, can only save the data allowed by the admin in the shares designated by the admin. Its certainly not perfect from a security perspective, but it does more or less what the OP asked.

This already exists

[Schraegstrichpunkt]

This already exists in mobile phones. Some phones provide a JVM that lets you run code in a sandbox, but their bootloaders check an RSA signature before executing the operating system, and the operating system checks signatures on the Java classes before giving them privileges. It's how the phone companies get away with charging you an arm and a leg for ring tones and wallpapers.

Going out of business?!?

[mengel]

Yeah, that's great, until the company goes out of business, or (for a really fun thought) loses the encryption keys (due to fire, flood, terrorist bombing or BOFH...) Now you're forever stuck with whatever their last release was, and you may not ever get new software.

You aren't safe

[Raenex]

Speaking as a user who understands their computer reasonably well and doesn't click on stuff just because animated characters tell me to, would this be a good thing?

The problem isn't "lusers". The problem is the whole security model is broken. Every software application on your computer has the ability to steal your bank password and transmit it across the net. Can you vouch for the millions of lines of software for every application that you have installed? All it takes is one rogue programmer.

The SkyNet Virus: Why it is Unstoppable; How to Stop it

it's always better for guyz who know too less...

[Wired0x90]

open source OS'es will certainly help hackers develop malicious code like rootkits , troajans faster n complicated ..but won't they develop malicious code if d source is not known..now a days variety of reverse enginnering techniques n code analyzing techniques r coming up.. it's always just a matter of time.. n how much u r willin to pay 4 it.. n hackers have it all.. but on d other side it will help other ppl provide solutions easily,... otherwise even if u r coding for a third party product . n the opertaing system got a security problem.. or a backdoor.. even ur a application is a at risk..

Probably the latter...

[cr0sh]

What has caused this? Is it purely computer / internet related, or have employees been wasting absurd amounts of company time for several decades?

The vast majority of businesses either have an organically "developed" set of processes to run the business, or no real processes at all. By "process", I mean a structured and understood (by all necessary staff) flowchart of who does what when, and how thier outputs affect other's inputs. Even if the set of processes has come about organically (ie, trial and error over many, many years and employees, turnovers, etc), it is likely that no one person understands the actual "logical" flow behind thier (or anyone else's) decisions, and the effects of those decisions.

The reality is that, even in those businesses which seem to run well using an organic approach, inevitably there will be waste and errors. If you tried to flowchart the business process of any one area, you would find all manner of strange results, just like you find in any other organically evolved system. While they do "work", they can also break very easily - indeed, it may be this one person who seems to take no input or produce no output, who is actually necessary (in some weird manner) for the functioning of the company - eliminate him (by thinking he is unnecessary), and the company could implode (there are many concrete examples of this in organically developed "evolved" circuitry and neural network systems to illustrate this point).

The processes which define how a business runs is merely the systems-level view of the business as a logical computational machine, whose function is to take the input of customers, produce some form of output to them, as well as profit. In most businesses, the processes are defined poorly or not at all. Those that are defined poorly tend to be those companies who recognize that there are processes that define the business, but don't flowchart and fix the irregularities (and/or inefficiencies) of their organically developed processes, and instead opt to graft on to the existing processes developed and defined processes, without understanding what those defines processes will do to the overall organic process (ultimately, though, this is just another example of an organically defined system). Those businesses that have processes that are not defined at all tend to have nothing but organically defined processes and are loath to look at or change them, for fear of the business imploding. The ole' "It'll break if you look at it crosseyed" syndrome.

Businesses (and the people who run them and are employed by them) are sometimes fearful to look at and understand them as the complex logical machinery that they are. It is the same fear (although at a much larger scale) which keeps most people from understanding how computers work. Most humans see logical and rational processes (whether a business, a computer, or their own within their own self) as dehumanizing or wrong for some insane reason, even though humanity is more than capable of thinking in this manner, since it is required to start a business, build a computer, or merely to exist (without dieing in the short term). However, if they want the system as a whole to last longer than a generation (tops), they need to understand and know the underlying processes which guide that system, if they want those systems to stay homogeneous. Otherwise, the only other method (known to work, although highly inefficient) is to follow nature's path - somehow introduce reproduction into the system (spinoffs and corporate restructure/mergers come to mind as methods which have been tried with mixed success). This is the model most businesses seem to be following, despite the massive amounts of inefficiencies that result from such systems.

So - what is the result of all this? Well, the inefficiencies and waste can cause any number of symptoms, the least problematic of which is employee "downtime" (and employee turnover). High product failure rates (before or after shipping), deadline slippage, and budgetary wast

Or...

[cr0sh]

...you buy and maintain a vehicle which nobody wants to break into and steal.

I will never have to worry about my 1994 4-banger Ranger being stolen, even if left unlocked with the keys in it (plus, it is paid off and insurance/registration is really, really low)...

it's already coming.

[kipple]

It's called "Trusted Computing".

Next question, please?

Would I have a problem with it?

[Harik]

Yes, I would. If you guarantee a monopoly position for a single-source vendor, there's no incentive for them to make a competetive version at a competitive price. A much more responsible solution would be an OS that has a structured policy that only allows the domain administrator to authorize software execution. That way a company could decide if they wanted Visual Studio or Eclipse as their authorized development platform, and nothing else would work.

Of course, you have the problem of interpreted languages (macros), DHTML, java applets, etc etc. And you couldn't ever develop software for this OS, or even ON this OS.

Useful perhaps in a call center, but there's already solutions for that.