Another thing that's been on my mind regarding Doing Things Differently™ is how to create an OS where there is no concept of an "all-powerful user" like root or Administrator, but which still maintains some semblance of safety or security in a multi-user environment.

You don't want to hound users with Windows Vista-like constant permission prompts, but you also can't just let every user do anything they want to the core system, unless that user is the sole user of the system of course.

Follow

Dunno, I'm putting this out there in case anyone has done more thinking on it than I have.

If I am to create a new OS or computing environment or something like that which is able to interface with networks or anything along those lines, I want it to be as close to an extension of the user as possible (i.e. the user is using a tool, not communicating with a machine) while also not letting Johnny JavaScript do whatever it feels like because it "has root".

· · Web · 4 · 2 · 5

@jbauer There's always my approach of "no JavaScript!"

Or you could allow apps, like the JavaScript interpreter, to drop privileges they don't need.

Or interpreting JavaScript without JIT'ing it makes it easier to audit that there's no vulnerabilities.

Basically all depends on what tradeoffs you want to make!

@jbauer Even working out how to stop programs from trashing a user's home directory is an interesting puzzle in permissions.

Clearly the user should be able to make a program save there, but a program shouldn't be able to do it on its own, so the program "saving" and the user pointing at the location to save actually have to be on different security layers (in some vague way).

@jbauer what you want sounds like a “object capability” system. hope that helps

@jbauer it’s like instead of having a heirarchy of power, every element of the system is able to individually give or refuse consent, or delegate that ability out.

some of these ideas have made it into javascript, for instance in the file apis which can only access files or foldere a user has explicitly drag and dropped into a web app

@jbauer consent can be any user action that gives a clear intent for one element of a system to have access to another. e.g. selecting text and hitting “copy” implies some access to the clipboard, for that one action. a little pop up that asks a yes or no question should be an absolute last resort.

@zens @jbauer It's a bit long, but this article, to me, absolutely nails the explanation of ocaps: http://habitatchronicles.com/2017/05/what-are-capabilities/

If you are interested in capability-based things, there's a crowd of us scattered around the fediverse. :D

@jbauer totally read this as "user is being a tool" and started snickering

I think to make any progress on this we'll have to just stop *thinking* about user accounts. User accounts are for separate humans; abusing them to separate applications is a hack.

I feel like computers - at least client-side ones - are largely single-user these days. I wonder if there's still any point to multi-user support. Abolishing it and giving the user full root, and using hypervised VMs or containers or something for interhuman separation if you need it, seems worth thinking about.

You want a capability system or something resembling one, but I have absolutely no idea how to make capability systems ergonomic. UAC tried and it was bad. Phone app permissions tried in a different way and it was less bad but still bad, and it's getting worse as unrelated permissions get merged together as a hack over side channel attacks.

@jbauer To do better, you need to actually *define* a security model, and that's nearly impossible because literally all the concepts involved here are vague and fuzzy. Like, what are you even giving permissions *to*?

It's not just users, that's the existing Unix model (without apparmor/selinux/etc.) and it has the thing where everything run as a user has the full rights of that user.

It's not processes either. This would be near-optimal in terms of control, but that was UAC and nobody liked UAC.
(edit: no, it's also not near-optimal, I forgot web browsers were a thing)

An application is a single binary, except when it's multiple binaries calling each other, and obviously `cat passwords.txt` run as a subprocess by a human-controlled shell should have different permissions than `cat passwords.txt` run as a subprocess by Totally Legitimate Free Game 2022.

And if you get fancier than that ("what if the entire OS was smalltalk objects with individual capability sets"), you're making users think about implementation details instead of using the computer, and blah.

Burn it all down, start over and just don't invent malware this time.

@emily @jbauer I think the answer is going to be some abstraction layers we don't know how to describe yet, built up from small objects with fine-grained capability sets. I don't see how anything less flexible can express all the variations on what humans want, but indeed, bothering humans about implementation details and making them build mental models of security technology is not going to get good results for the defenders.

Sign in to participate in the conversation
Merveilles

Revel in the marvels of the universe. We are a collective of forward-thinking individuals who strive to better ourselves and our surroundings through constant creation. We express ourselves through music, art, games, and writing. We also put great value in play. A warm welcome to any like-minded people who feel these ideals resonate with them.