zlacker

[parent] [thread] 14 comments
1. mrotte+(OP)[view] [source] 2014-10-08 23:20:31
Nope. If somebody exploits your PDF reader, they still have to circumvent the OS. Sound familiar?

Now instead of one layer with hardware contact, you have two (assuming you want performance too). Twice the attack surface.

replies(3): >>amalco+b2 >>wyager+w2 >>walter+G6
2. amalco+b2[view] [source] 2014-10-09 00:03:54
>>mrotte+(OP)
This would be sound logic if existing desktop operating systems had actual good security models.

In the real world, if someone exploits your PDF reader, they don't have to circumvent your OS: your OS hands over everything you can access, by design. One could argue that a better security model baked into the OS would make more sense than a virtualization hack, but the latter has the advantage of actually existing.

replies(1): >>Touche+v6
3. wyager+w2[view] [source] 2014-10-09 00:08:20
>>mrotte+(OP)
> If somebody exploits your PDF reader, they still have to circumvent the OS.

That is correct. This is probably why privesc exploits are much more expensive than adobe reader exploits.

You are kind of arguing against yourself here.

◧◩
4. Touche+v6[view] [source] [discussion] 2014-10-09 01:33:21
>>amalco+b2
What would be the better security model?
replies(1): >>SamRei+z8
5. walter+G6[view] [source] 2014-10-09 01:35:33
>>mrotte+(OP)
> Now instead of one layer with hardware contact, you have two (assuming you want performance too).

Could you expand on that statement? By definition, only one layer can own each hardware component.

◧◩◪
6. SamRei+z8[view] [source] [discussion] 2014-10-09 02:23:12
>>Touche+v6
Somebody exploiting your PDF reader can't upload all your email.
replies(1): >>Touche+td
◧◩◪◨
7. Touche+td[view] [source] [discussion] 2014-10-09 04:16:52
>>SamRei+z8
That's not a model. What's the model that prevents this? User performs a 2-step auth every time code executes?
replies(1): >>SamRei+0e
◧◩◪◨⬒
8. SamRei+0e[view] [source] [discussion] 2014-10-09 04:28:50
>>Touche+td
Just pick one that gives the feature I described without being a pain to the user.
replies(1): >>Touche+Te
◧◩◪◨⬒⬓
9. Touche+Te[view] [source] [discussion] 2014-10-09 04:55:44
>>SamRei+0e
I know of no such models. Perhaps someone smarter than me has thought of them, that's why I asked the question initially.
replies(2): >>SamRei+hg >>pjmlp+8s
◧◩◪◨⬒⬓⬔
10. SamRei+hg[view] [source] [discussion] 2014-10-09 05:38:09
>>Touche+Te
Sandboxing. It's present on OS X.
replies(1): >>Touche+9B
◧◩◪◨⬒⬓⬔
11. pjmlp+8s[view] [source] [discussion] 2014-10-09 11:26:20
>>Touche+Te
Sandboxing, where each process is only allowed to use a precise set of system resources.

Any attempt to use anything else leads to termination.

replies(1): >>Touche+3B
◧◩◪◨⬒⬓⬔⧯
12. Touche+3B[view] [source] [discussion] 2014-10-09 13:42:59
>>pjmlp+8s
Which resources are they allowed to use? What defines which resources they are given?
replies(1): >>pjmlp+hI1
◧◩◪◨⬒⬓⬔⧯
13. Touche+9B[view] [source] [discussion] 2014-10-09 13:44:02
>>SamRei+hg
I'm confused. The original person I responded to said that no desktop OSes had good security models. On OSX I can write a script that, when run as a user, has access to everything the user has access to. So what exactly are you talking about?
replies(1): >>SamRei+fQ
◧◩◪◨⬒⬓⬔⧯▣
14. SamRei+fQ[view] [source] [discussion] 2014-10-09 16:02:43
>>Touche+9B
I'm talking about OS X sandboxing. The hypothetical PDF reader doesn't have access to the email.
◧◩◪◨⬒⬓⬔⧯▣
15. pjmlp+hI1[view] [source] [discussion] 2014-10-10 06:46:15
>>Touche+3B
> Which resources are they allowed to use?

The system administrator at installation time.

> What defines which resources they are given?

Applications just have a request list of what they require.

If the administrator doesn't allow them for the given application modules (executable, dynamic library, function call,...), bad luck.

[go to top]