Security issues of modern OS
This post is a critique of the existing approach to security in modern operating systems. In addition to criticism, ways of solving these issues will be proposed. It will be considered Linux, but I think that the situation is just as bad in BSD and other Unix, including MacOS, on Windows it also applies. This post is an expression of personal opinion that has evolved over the past few years using various Linux and Windows, Mac OS X distributions.
What I actually do not like? And I do not like the user system. She is certainly better than nothing, but very weak. All restrictions, rights and other security issues come from the fact that we do not trust the software: we do not trust browsers for which there are exploits, PDF viewers, not to mention new software obtained from an unreliable source. It is obtained in binary form or in the source does not really affect the situation. A compromised version of the source code of the program is also dangerous.
As an example, take the monitor setting. To do this, you must properly describe what you want in /etc/X11/xorg.conf. You can do this by running the xorgconfig utility or editing xorg.conf directly in a text editor. But here it is but: the rights to write this file belong to the superuser.
1. Run xorgconfig from root, configure, write.
2. Run xorgconfig from yourself, create a configuration file, save your folder and then from the root with the help of cat or cp rewrite xorg.conf.
3. Run the text editor from the root and go to edit.
4. Using chown or chmod utilities running with root privileges, we allow the user to write to this file, then write with user tools and then close again so that others will not be guilty.
')
What I don't like: in any case, one of the programs gets root rights, all root rights! I, as a user, wanted the corresponding program to only write to xorg.conf, and now she can rewrite passwords and whatever she wants, create a user, add a kernel module, or whatever! Yes, I understand that we trust the software written by the community, but where there is a need for security there is no trust. Programs come through communication channels, they are written by people, and even when they receive a good distribution, no one guarantees erroneous data processing, which can lead to the execution of arbitrary code.
Production. Characters:
Director (conditional person, interface of external interaction of the enterprise, he also has the highest authority).
Security.
Turner.
Driver.
Director to turner: "Here are the drawings, blanks and cutters in stock, for a period of 3 days."
Turner in stock: "Give me the cutters and blanks!"
Warehouse security: “How is that frightened?”
Turner: “But the director’s order and permission to get 5 blanks and 3 cutters out of stock.”
Security: “Get and sign!”
The driver leaves the factory with a load, passing.
Driver: “Open the gate!”
Security: “What are you taking? We are the guard and so that no one gets the floor of the plant! ”
Driver: “But the order, delivery note, description of the cargo and its quantity, date of export and destination, here’s permission to export from the factory!”
The guard checks the documents, checks the cargo and releases the driver.
Director to turner: "Here are the drawings, blanks and cutters in stock, for a period of 3 days."
Turner in stock: "Give me the cutters and blanks!"
Warehouse security: “How is that frightened?”
Turner director: "Do not give anything in stock, no rights."
Director to the turner: “Here you have the power of attorney to fully manage the plant on behalf of the director!”
Turner: “Thank you!”
The driver leaves the factory with a load, passing.
Driver: “Open the gate!”
Security: “What are you taking? We are the guard and so that no one gets the floor of the plant! ”
The driver to the director: “The security gate does not open, how can I take the order then?”
Director to the driver: “Here you have the power of attorney to fully manage the plant on behalf of the director!”
Driver: “Thank you!”
In my opinion, users in the system should correspond only to people, there should be no super user. The program that must rewrite the system configuration file must be granted rights only to write this file and nothing more. This should naturally continue the Unix way: “One task is one program” and allow programs to do just what they should.
Who should control this? Operating system. By definition, an operating system is a collection of software for providing client software with access to hardware. So she must control it. The program uses system functions for working with files and devices, and so these functions must check whether there is an appropriate tolerance. Not the way it is done now, when the corresponding user is simply checked and that he can. Even a simple text editor that a user runs to edit a file should only get permissions on this file and no others! Thank you for reading so many letters. At the moment, when a user starts vim with the file name as a parameter, the console interpreter only parses the string, calls vim and feeds the parameters to it, in principle, vim can safely ignore the specified parameter and do whatever it wants with all user files. One solution is to have the OS control what the user wants. Command line parameters and system file selection dialogs should be processed by the OS and the program should gain access to these files only. Similarly, the same happens when installing programs and packages. The program is deleted by itself (it has a removal script), but this is terrible! Didn't the OS issue a disk to the program for specific files, isn't the task of the OS to manage and issue devices to the programs? If there are no cleaners in the restaurant, then even with tidy visitors it will turn into a garbage bin. This is a direct function of the OS, to take away from the program what was once issued, and not politely ask it to remove itself and then not even control what remains. When installing the OS, it should log what was installed, what got better and return everything to a place during removal.
A partial crutch to solve these problems is to create a heap of users for different actions, for example, a user who can only edit xorg.conf and the like, but this is a huge number of users and simply the inability to work on such a computer, you have to remember what user is allowed to run everything from these users, and a slightly non-standard action, and again take the root and create the corresponding user for a specific action.
I propose to do something like a power of attorney issued by the user, i.e. transferring part of the user's rights to the program, but not all. Those. for example, the browser should only be able to request information from the network, send information, write its caches to a certain place on the disk and save documents to the user-allocated disk space, it should not have the right to read all user documents. And then the browser was updated not by https, the user launched it and all the user's documents went to Pete's hacker, and no one noticed. I offer something like a firewall not only for the network but also for the disk and other equipment. And the most important thing is that it should not be a sandbox, virtualization, IL machine or other interpreted technologies, it is possible to implement it in native code, just the functions of the operating system should verify what the user requested and what the program does. The launch of programs for data processing must be performed by the operating system, and it must know what data the user wants to process and allow the program to process only them.
Giving a lot of rights to programs is bad, you need to completely redo the security system of modern operating systems.
There are still many unsolved questions, illiterate users even more, but I think it is necessary to correct the existing situation. UAC from Microsoft is moving in this direction, but somehow crooked.
PS: For typographical errors and inaccuracies, please contact habrapochta.
Based on the xenon comment
How do you usually (from the shell) run the movie: mplayer filename.avi
In this case, the mplayer program is started, and it can do everything the user can do, but it does not erase all user files (although it could have been used - thanks to her), but only reads the specified filename.avi. This is if the program is “good”, which we cannot count on.
I suggest that when executing mplayer filename.avi
The OS banned mplayer for everything, everything, but gave access to filename.avi. The result is that the user did not get out for their rights and the program received the necessary rights and cannot steal your documents. There are no additional gestures on the part of the user. The user does not interfere with what he explicitly wrote, the system allows, does not limit it.
What I actually do not like? And I do not like the user system. She is certainly better than nothing, but very weak. All restrictions, rights and other security issues come from the fact that we do not trust the software: we do not trust browsers for which there are exploits, PDF viewers, not to mention new software obtained from an unreliable source. It is obtained in binary form or in the source does not really affect the situation. A compromised version of the source code of the program is also dangerous.
So an example
As an example, take the monitor setting. To do this, you must properly describe what you want in /etc/X11/xorg.conf. You can do this by running the xorgconfig utility or editing xorg.conf directly in a text editor. But here it is but: the rights to write this file belong to the superuser.
Solutions:
1. Run xorgconfig from root, configure, write.
2. Run xorgconfig from yourself, create a configuration file, save your folder and then from the root with the help of cat or cp rewrite xorg.conf.
3. Run the text editor from the root and go to edit.
4. Using chown or chmod utilities running with root privileges, we allow the user to write to this file, then write with user tools and then close again so that others will not be guilty.
')
Findings:
What I don't like: in any case, one of the programs gets root rights, all root rights! I, as a user, wanted the corresponding program to only write to xorg.conf, and now she can rewrite passwords and whatever she wants, create a user, add a kernel module, or whatever! Yes, I understand that we trust the software written by the community, but where there is a need for security there is no trust. Programs come through communication channels, they are written by people, and even when they receive a good distribution, no one guarantees erroneous data processing, which can lead to the execution of arbitrary code.
Example 2
Production. Characters:
Director (conditional person, interface of external interaction of the enterprise, he also has the highest authority).
Security.
Turner.
Driver.
Normal enterprise
Act one
Director to turner: "Here are the drawings, blanks and cutters in stock, for a period of 3 days."
Turner in stock: "Give me the cutters and blanks!"
Warehouse security: “How is that frightened?”
Turner: “But the director’s order and permission to get 5 blanks and 3 cutters out of stock.”
Security: “Get and sign!”
Three days passed, the turner made the parts, it's time to ship. Act Two
The driver leaves the factory with a load, passing.
Driver: “Open the gate!”
Security: “What are you taking? We are the guard and so that no one gets the floor of the plant! ”
Driver: “But the order, delivery note, description of the cargo and its quantity, date of export and destination, here’s permission to export from the factory!”
The guard checks the documents, checks the cargo and releases the driver.
Enterprise with Unix-style security
Act one
Director to turner: "Here are the drawings, blanks and cutters in stock, for a period of 3 days."
Turner in stock: "Give me the cutters and blanks!"
Warehouse security: “How is that frightened?”
Turner director: "Do not give anything in stock, no rights."
Director to the turner: “Here you have the power of attorney to fully manage the plant on behalf of the director!”
Turner: “Thank you!”
Three days passed, the turner made the parts, it's time to ship. Act Two
The driver leaves the factory with a load, passing.
Driver: “Open the gate!”
Security: “What are you taking? We are the guard and so that no one gets the floor of the plant! ”
The driver to the director: “The security gate does not open, how can I take the order then?”
Director to the driver: “Here you have the power of attorney to fully manage the plant on behalf of the director!”
Driver: “Thank you!”
Now why I wrote it
In my opinion, users in the system should correspond only to people, there should be no super user. The program that must rewrite the system configuration file must be granted rights only to write this file and nothing more. This should naturally continue the Unix way: “One task is one program” and allow programs to do just what they should.
Who should control this? Operating system. By definition, an operating system is a collection of software for providing client software with access to hardware. So she must control it. The program uses system functions for working with files and devices, and so these functions must check whether there is an appropriate tolerance. Not the way it is done now, when the corresponding user is simply checked and that he can. Even a simple text editor that a user runs to edit a file should only get permissions on this file and no others! Thank you for reading so many letters. At the moment, when a user starts vim with the file name as a parameter, the console interpreter only parses the string, calls vim and feeds the parameters to it, in principle, vim can safely ignore the specified parameter and do whatever it wants with all user files. One solution is to have the OS control what the user wants. Command line parameters and system file selection dialogs should be processed by the OS and the program should gain access to these files only. Similarly, the same happens when installing programs and packages. The program is deleted by itself (it has a removal script), but this is terrible! Didn't the OS issue a disk to the program for specific files, isn't the task of the OS to manage and issue devices to the programs? If there are no cleaners in the restaurant, then even with tidy visitors it will turn into a garbage bin. This is a direct function of the OS, to take away from the program what was once issued, and not politely ask it to remove itself and then not even control what remains. When installing the OS, it should log what was installed, what got better and return everything to a place during removal.
Solutions in existing Unix
A partial crutch to solve these problems is to create a heap of users for different actions, for example, a user who can only edit xorg.conf and the like, but this is a huge number of users and simply the inability to work on such a computer, you have to remember what user is allowed to run everything from these users, and a slightly non-standard action, and again take the root and create the corresponding user for a specific action.
Solutions in the new OS
I propose to do something like a power of attorney issued by the user, i.e. transferring part of the user's rights to the program, but not all. Those. for example, the browser should only be able to request information from the network, send information, write its caches to a certain place on the disk and save documents to the user-allocated disk space, it should not have the right to read all user documents. And then the browser was updated not by https, the user launched it and all the user's documents went to Pete's hacker, and no one noticed. I offer something like a firewall not only for the network but also for the disk and other equipment. And the most important thing is that it should not be a sandbox, virtualization, IL machine or other interpreted technologies, it is possible to implement it in native code, just the functions of the operating system should verify what the user requested and what the program does. The launch of programs for data processing must be performed by the operating system, and it must know what data the user wants to process and allow the program to process only them.
Conclusion
Giving a lot of rights to programs is bad, you need to completely redo the security system of modern operating systems.
There are still many unsolved questions, illiterate users even more, but I think it is necessary to correct the existing situation. UAC from Microsoft is moving in this direction, but somehow crooked.
PS: For typographical errors and inaccuracies, please contact habrapochta.
Additional example
Based on the xenon comment
How do you usually (from the shell) run the movie: mplayer filename.avi
In this case, the mplayer program is started, and it can do everything the user can do, but it does not erase all user files (although it could have been used - thanks to her), but only reads the specified filename.avi. This is if the program is “good”, which we cannot count on.
I suggest that when executing mplayer filename.avi
The OS banned mplayer for everything, everything, but gave access to filename.avi. The result is that the user did not get out for their rights and the program received the necessary rights and cannot steal your documents. There are no additional gestures on the part of the user. The user does not interfere with what he explicitly wrote, the system allows, does not limit it.
Source: https://habr.com/ru/post/89588/
All Articles