Win32 API utterly and irreprarable broken
Robert Bushman
plug-discuss@lists.plug.phoenix.az.us
Thu, 8 Aug 2002 09:38:50 -0400 (EDT)
On Thu, 8 Aug 2002, Dr. G wrote:
> Other then that, if your running a program on your PC someone else made that
> you don't 100% trust, your gambling, no matter if it's windows or linux.
Not so. Linux doesn't allow user accounts to
escalate their level. You can trash your own
data, but not the system.
If I set up a user named "magilla" in Linux, and
use that account to execute all my untrusted code,
I am confident that it cannot escalate its level
without using a currently unknow exploit - that is,
it cannot modify anything outside of /home/magilla
and /tmp. Better yet, I can chroot the account and
it won't be able to even see anything outside of
/home/magilla.
If I set up "magilla" in 2000, I am confident that
it can escalate its level - that is, it can do
anything to anything on the box.
That's the problem - it is currently impossible
to execute untrusted code on a Windows box safely.
That's what the author means by "unfixable" - it's
currently impossible to have a functional Windows
box on which you can safely execute untrusted code.
This is why Microsoft thinks Palladium is necessary.
They don't even grasp the fact that you can safely
execute untrusted code if your operating system's
security is designed correctly. So they have to
implement this ridiculous scheme where every piece
of code is authenticated by an outside authority.