Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Closed Off System?

Cliff posted about 8 years ago | from the would-this-appeal-to-you dept.

177

AnarkiNet wonders: "In an age of malware which installs itself via browsers, rootkits installing themselves from audio cds, and loads of other shady things happening on your computer, would a 'Closed OS' be successful? The idea is an operating system (open or closed source), which allows no third party software to be installed, ever. Yes, not even your own coded programs would run unless they existed in the OS-maker-managed database of programs that could be installed. Some people might be aghast at this idea but I feel that it could be highly useful for example in the corporate setting where there would be no need for a secretary to have anything on his/her computer other than the programs available from the OS-maker. For now, let's not worry if people can 'get around' the system. If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need', would you really have an issue with being unable to install a different program that did the same thing?"

cancel ×

177 comments

Wouldn't a live CD do this? (5, Insightful)

amanda-backup (982340) | about 8 years ago | (#15703090)

Doesn't a live OS CD such as Knoppix achieve this goal? These are usually built for "everything you need" for a particular purpose. You can still access and create data on disks on that system, but you never corrupt the programs themselves. If all the applications being used are web based, then things are even simpler - simply boot up with Knoppix, open Firefox and you are ready to go.

Re:Wouldn't a live CD do this? Nope (1)

JumpSuit Boy (29166) | about 8 years ago | (#15703103)

You can install software on the livecd. It only exists tell the ram is wiped (restarted) but is runs just fine.

No. - Re:Wouldn't a live CD do this? (5, Insightful)

jdogalt (961241) | about 8 years ago | (#15703129)

No. LiveCDs do offer read-only system images. But they do nothing whatsoever to prevent other programs from being run. I.e. programs downloaded from the net, autorun(or manually) from cd. LiveCDs get you the benefit that each reboot resets you to an known state. That is quite different from an OS which only allows programs from a blessed whitelist to execute. One scenario might be the discovery of way to remotely log into the system. In the livecd case, the attacker can now run whatever program they want, and likely regain entry in an identical fashion should the system be rebooted. What the author of this post is interested in, is a system what would not let the attacker with remote login be able to execute any code not on the blessed whitelist. Now mind you, the idea that such a system would be 'invulnerable' is ludicrous. The XBox seems the quintessential example of a system which tried to achieve this design goal. My XBox currently runs ssh, freevo, and any executable I want, proving it is difficult to achieve a successful implementation of such a design. -jdog

Re:No. - Re:Wouldn't a live CD do this? (2, Insightful)

secolactico (519805) | about 8 years ago | (#15703303)

The XBox seems the quintessential example of a system which tried to achieve this design goal. My XBox currently runs ssh, freevo, and any executable I want, proving it is difficult to achieve a successful implementation of such a design

Yes, but you had to go out of your way in order to achieve this, right? That is, it's not something that happened because of soemething you downloaded off the net did away with the "protection" MS had installed originally in the machine. (Besides, as far as I know, only the bootloader needs to be on the blessed list).

Of course, everything is fallible. And besides, if every single executable code had to be signed and verified, how expensive in terms of CPU time would that be?

Re:No. - Re:Wouldn't a live CD do this? (2, Insightful)

jdogalt (961241) | about 8 years ago | (#15703359)

"Out of my way" is as vague a phrase as "should". Yes I had to follow some instructions, but technically I'm also following instructions when I dial my phone.

Yes the bootloader only needs to be on the blessed list, but in the absence of a blessed bootloader which allows arbitrary code to execute...

To your last point, signing and verifying every executable is not a heavy CPU tax. The real issue is the granularity, and if you can prevent any excutable which intentionally or unintentionally allows arbitrary external code to be executed from getting blessed.

Re:No. - Re:Wouldn't a live CD do this? (1)

shadowmas (697397) | about 8 years ago | (#15703390)

The XBox seems the quintessential example of a system which tried to achieve this design goal.

I never thought i'd see the day when a microsoft product would be quintessential example of a high security system :)

Re:No. - Re:Wouldn't a live CD do this? (1)

itwerx (165526) | about 8 years ago | (#15703452)

The XBox seems the quintessential example of a system which tried to achieve this design goal. ...I never thought i'd see the day when a microsoft product would be quintessential example of a high security system...

It's not.
      Re-read the parent post - MS tries to achieve a great deal, they just happen to fail miserably a great deal of the time.

(Ba-da-bing! Thanks folks, I'll be here all week! :)

Seems to be a matter of reading 'man fstab' ... (4, Informative)

PaulBu (473180) | about 8 years ago | (#15703673)

... pay particular attention to noexec flag -- yes, one can configure his/her generic U**x system not to be able to execute anything off "other media" (including home directories) for what, like, 20 years... ;-)

Amazing what those guys back then thought of, is not it?

Paul B.

Re:Seems to be a matter of reading 'man fstab' ... (2, Insightful)

mattyrobinson69 (751521) | about 8 years ago | (#15703762)

Although you can workaround this: /lib/ld-linux.so.2 /noexec/mounted/partition/escalate_to_root

or more likely: /lib/ld-linux.so.2 /usr/local/bin/ksolitaire

Re:Wouldn't a live CD do this? (1)

n3v (412497) | about 8 years ago | (#15703383)

The CD is just one of many possibly medias that could be altered. The CD may stay the same, but what if a rogue program in memory wrote something somewhere else, or stored it's instructions on a remote server. Things may still be exploited some way in which the original authors did not intend..

At least a reboot should help the issue ;p

What a load of... (4, Funny)

Bin_jammin (684517) | about 8 years ago | (#15703097)

fun you must be to think up questions like that.

What a [arm]load of... (-1, Troll)

Anonymous Coward | about 8 years ago | (#15703286)

What if everyone gave each other a hug?

LiveCD Anyone? (1)

Daxster (854610) | about 8 years ago | (#15703101)

This sounds suspicously like a LiveCD or DVD of some sort of *nix variant - OpenBSD sounds good.

Here we go.... (1)

Rendo (918276) | about 8 years ago | (#15703102)

Just face it, with the internet as it stands today, no matter what you do, there will always be cases of viruses, malware, spyware, adware, etc etc. The only way to really not be affected by this is to NOT use the Internet which in the corporate world is basically a no no. Maybe have a couple of machines that use the Internet when needed and the rest on the server are dead to the net.

Windows Group Policy (5, Interesting)

Ececheira (86172) | about 8 years ago | (#15703104)

Windows has long been able to do this via Group Policy. You can specify that only programs signed with specified Authenticode keys can be run, effectively locking the system. Since all OS files are signed by Microsoft and anything a corporation would need could be signed, then if a corporation wanted a locked-down box, then they'd just specify the allowed keys and block everything else.

It'd be a huge nuisance but it's possible today.

not quite! (1)

Xtifr (1323) | about 8 years ago | (#15703212)

Windows fails both the "up-to-scratch" and the "everything you need" tests! But yes, I agree, it can be locked down, as can most other modern OSes (all of which also fail those two critical criteria--I'm not Windows-bashing here).

Re:not quite! (1)

Telvin_3d (855514) | about 8 years ago | (#15703235)

I'm not sure you can say that as far as the corporate world goes. By default, Windows and related programs is everything you need because that is what 90% of corporate enviroments are based on. That is not to say that nothing else is better or has useful features that Windows lacks, but simply that you can easily ahve everything that you need to run a fully sucessful office on a Windows, or even a purely Microsoft box.

Re:not quite! (2, Interesting)

Goaway (82658) | about 8 years ago | (#15703373)

I agree, it can be locked down, as can most other modern OSes

Oh, so how exactly do you lock down Linux so that only signed software can be run?

Re:not quite! (0)

Anonymous Coward | about 8 years ago | (#15703467)

/dev/hda1 /     ext3 defaults 0 0
/dev/hda2 /swap swap defaults 0 0
/dev/hda3 /var  ext3 noexec   0 1
/dev/hda5 /home ext3 noexec   0 2

Not quite the same, but the same result if you are careful about root.

Re:not quite! (2, Interesting)

LLuthor (909583) | about 8 years ago | (#15703757)

/lib/ld-linux.so /home/me/whatever/binary

glibc needs a rewrite before noexec becomes useful.

Re:not quite! (5, Informative)

ocelotbob (173602) | about 8 years ago | (#15703851)

SELinux policies. You can configure SELinux to have a default deny to execute files that aren't on an approved list of executables, and also ensure that only trusted persons have access to change those files.

I'd use it (3, Interesting)

Wizarth (785742) | about 8 years ago | (#15703105)

For office use, a linux distro (such as Debian or Ubuntu) which allowed you to specify the repositories, and not allow modification of the list, would work just fine, in general.

System admin's would only allow updates from the offical repository, with a local repository for mirror/caching and business specific software packages.

I use something like this for my relatives. Give them a linux, don't give them root, make all updates/installations go through me.

Then print out a poster for my door "setup.exe will not run on your system" ...

Re:I'd use it (0)

Anonymous Coward | about 8 years ago | (#15703168)

And who prevents them from installing things in their home-directory, smartass?

Re:I'd use it (1)

19thNervousBreakdown (768619) | about 8 years ago | (#15703297)

mount -onoexec dipshit

Re:I'd use it (2, Interesting)

morcego (260031) | about 8 years ago | (#15703639)

"noexec" is completely useless.
Just do: /lib/ld-linux.so.2 YOUR_PROGRAM
and you can bypass noexec.
Not to mention shell scripts, perl etc etc.

Re:I'd use it (1)

batkiwi (137781) | about 8 years ago | (#15703719)

Step 1: download a statically compiled binary
Step 2: run said binary from your home directory

On the subject of the CD Rootkit... (3, Interesting)

GhaleonStrife (916215) | about 8 years ago | (#15703106)

Think about this: If that database included the infamous Sony rootkit as "allowed" due to them laying pressure on whoever maintains it, doesn't it render the whole thing pointless?

Re:On the subject of the CD Rootkit... (2, Insightful)

bersl2 (689221) | about 8 years ago | (#15703203)

The whole shitstorm over "Trusted Computing" and this are essentially the same topic, and the issue is who has control over the access control list, the user-administrator or some other party. The feature can be used for good or evil, for lawfulness or chaos, just as with any other tool.

code isolation (4, Insightful)

TheSHAD0W (258774) | about 8 years ago | (#15703107)

This would be "mostly secure", but unless strict data-space separation would use it might still be vulnerable to a buffer overflow or similar attack that would allow arbitrary code provided as data to be executed. The attacker would use this opportunity to establish a "beachhead", modifying whatever integrity-checking system the OS is using to allow it to continue to exist.

Re:code isolation (1)

jdhutchins (559010) | about 8 years ago | (#15703123)

Obviously there will be some kind of attack, no matter what the system. I think the question is mostly dealing with malware and trojans, stuff that doesn't try to break it, but relies on user stupidity.

Re:code isolation (1)

bursch-X (458146) | about 8 years ago | (#15703255)

relies on user stupidity.

That's the cracking point. So why don't people rather try to employ people with a brain? That might save costs beyond all the trojan issues etc. If businesses ask for stupid monkeys they get monkeys.

Re:code isolation (1)

Vo0k (760020) | about 8 years ago | (#15703830)

because of stupid monkeys doing the recruitment?

Hypothetical question: "lusers" as decoys (4, Insightful)

Kadin2048 (468275) | about 8 years ago | (#15703334)

Speaking as a user who understands their computer reasonably well and doesn't click on stuff just because animated characters tell me to, would this be a good thing?

If we (hypothetically) closed off the "stupid user" vulnerabilities that are the major attack vectors right now, wouldn't the malware authors instead just concentrate on other, more technical, avenues of attack?

Here's my thought: maybe having systems vulnerable to idiot users is actually a good thing for the informational ecosystem as a whole. They're more than just the canaries in the coal mine (although they serve that function, too), they provide a steady stream of marks for the virus/trojan/malware writers and phishing-scheme authors of the world.

If these people weren't able to basically throw themselves on the swords of their own stupidity on a regular basis, couldn't this just lead to smarter malware, which affected more of us (not just the stupid/ignorant)?

Malware authors are inherently lazy and opportunistic. While there are still lots of "the monkey told me to click it so I did" people around, and ways to exploit this idiocy, that's what they're going to do. They're not going to mess around with esoteric buffer overflows to steal your information, when they can just send out some fake PayPal emails and watch the data roll in.

Given the choice, I'd rather have the primary attack vectors be ones that rely on user stupidity, rather than technical flaws, because 0-day technical flaws are too 'egalitarian,' attacking both the clueless user and the experienced person without warning. Personally, anything that keeps the collective attention of the Russian Mafia focused on people too dumb to check the URL line in IE before typing in their bank account information is a good thing in my book.

I know this isn't a very nice sentiment to hold, but if there was some hypothetical way to remove user stupidity as a vulnerability (not possible, so this is all just a mind game), maybe we'd be better off not implementing it?

I'm not suggesting that we shouldn't attempt to educate people on good computing practices, but if people are too lazy or disinterested to become educated, maybe in their laziness they can do the rest of us a favor by acting as the collective decoys?

Re:Hypothetical question: "lusers" as decoys (1)

Neoprofin (871029) | about 8 years ago | (#15703737)

You could say the same thing about locking your doors at night making burglers smarter because they can't just walk right in.

There's a certain level of difficulty where it no longer becomes easy enough and profitable enough to be a malware producer, and if we could simply bring everyone up to that level I think we'd all be better off. Sure some of them would stay in business, just like some criminals have no issue kicking down doors and smashing windows, but a lot can be accomplished by eliminating so-called "casual theft" where valuables are just left out in the open.

Question moot. (3, Insightful)

The MAZZTer (911996) | about 8 years ago | (#15703117)

"If each program that made up the collection of allowed programs was 'up to scratch' and had 'everything you need',"

Considering that is impossible, the question is pretty much moot, isn't it. I am always going to find more needs for things, and chances are I'm going to need a new piece of software. Even if an OS shipped with "everything", new things are invented all the time. Maintaining a "Closed OS" to allow for new things would be difficult, and to keep it relatively up to date even more so... but then it wouldn't really be closed if new stuff kept getting added to it...

Re:Question moot. (1)

skiflyer (716312) | about 8 years ago | (#15703515)

Sure for you... but what about your publically deployed kiosk... or your call center desktop or whatever. Definitely plenty of applications for such a deployment, I think it's just that this is already accomplishable using read only partitions/live cds/etc.

Depends on the distribution.. (1)

SpookyFish (195418) | about 8 years ago | (#15703118)

If the group responsible kept up to date by adding "certified" software to keep up with the "joe average" software needs, this could work.

As someone experienced who regularly uses Linux and Winderz (only with FFox and otherwise properly locked down), I wouldn't use it -- but I would likely switch the parents and other non-savvy friends and family to it quickly.

Interesting idea.

Treacherous Computing (3, Interesting)

jZnat (793348) | about 8 years ago | (#15703119)

This is exactly what Microsoft would like to do with Treacherous Computing, although the issue would cover things like security from the user rather than for the user.

Re:Treacherous Computing (2, Insightful)

MaverickUW (177871) | about 8 years ago | (#15703601)

I hate to say this, but while the idea of security from the user instead of for the user, sounds insane, it's probably very needed and very valid.

I've done some freelance computer work for people who don't know all the technical stuff about computers. This normally relates to spyware/malware/virii/etc. The grand majority of the spyware and malware is self installed. Downloading cutesy screensavers or cursors or backgrounds that come with all manners of desktop search, search bars. When you have a Athlon 64 3800+ with 2 GB of Ram and 10,000 RPM SATA drives in a raid array slowed to a crawl because of too much crap (with antivirus and antispyware software installed, something is wrong.

I've even seen half the spyware removing programs that show up as spyware themselves in AdAware!

We're getting to a point where security FROM the user is almost if not more important than security FOR the user.

Smith-Corona to the rescue! (4, Funny)

Onan (25162) | about 8 years ago | (#15703125)


Yeah, turns out somebody was doing this for kind of a while. Called them "typewriters" or somesuch.

Really, much of the value of a computer lies in the fact that it's an extremely versatile device. Choosing to discard all that, and believe that you can know ahead of time every single thing you will ever want to accomplish with it, seems like a pretty bad deal.

Re:Smith-Corona to the rescue! (2, Insightful)

bcat24 (914105) | about 8 years ago | (#15703198)

But there are some people who use a computer for nothing more than word processing, web browsing, and email. A "closed off" setup might work for them.

Re:Smith-Corona to the rescue! (2, Informative)

TheGratefulNet (143330) | about 8 years ago | (#15703454)

But there are some people who use a computer for nothing more than word processing, web browsing, and email


anyone remember the I-opener ? that was a closed (qnx) turnkey just-does-this-and-no-more system.

I don't think the company lasted long, though. too many people (myself included) bought the boxes for $100 and hacked them to get linux and win95 on them. ahh..

but the idea was kind of ok, for some people. and there was NO way to get viruses or problems when you aren't even running a real multiuser o/s like that.

oh, and it had a pizza key. a pizza key. wow.

(I still have that i-opener. I can't even imagine what a pent-120 class machine could be useful for, today, though. it wasn't even a real cpu, it was some cyrix animal, pretty feeble even for its day).

Re:Smith-Corona to the rescue! (1)

PaulBu (473180) | about 8 years ago | (#15703701)

anyone remember the I-opener ? that was a closed (qnx) turnkey just-does-this-and-no-more system.

Well, throw in a WiFi chip into it, shrink to 1/4 of the size (1/8 of the volume), as allowed by tech now, and I would not mind carrying such a beast around! ;-) I guess they used to be called 'Palms', or some such, in the earlier days...

Seriously, a no-nonsense portable connected device - what can be wrong with it?

Paul B.

OS X (3, Interesting)

mattjb0010 (724744) | about 8 years ago | (#15703126)

already does this. See here [apple.com] , under "Application Access: You Decide". You can set up another user account for yourself (not just any children) which would be protected. I'm pretty sure Windows has similar things (not sure if you need 3rd party software to do this) and as mentioned, there are live CDs of Linux/BSD/etc.

Re:OS X (1)

zaliph (939896) | about 8 years ago | (#15703345)

A T-rated video game such as World of Warcraft may be great for your teenage daughter, but you may not want your six-year-old to play along.

If you want to get any peace around the house you will. Apple Provides, You Relent.

Re:OS X (1)

IntlHarvester (11985) | about 8 years ago | (#15703543)

OS X's Application Controls isn't anything close to being "secure" -- It's implemented on the Finder rather than the OS level and can be bypassed by any convenient scripting environment (Applescript, MS Office, etc).

Already exists! (0, Offtopic)

NineNine (235196) | about 8 years ago | (#15703127)

As far as I'm concerned, Ubuntu and the other Linux'es are already this. I never figured out how to install *anything* on the damn things. If it wasn't in the catalog, then you had to be a full-time dork to get it working.

All in all, the experience wasn't bad. There were some good programs in the list. However, maybe just because I've been around PC's for so long, there are certain programs that I wanted to use, and was frustrated that they never worked. I don't know if this would bother regular people.

The only problem with this is sometimes (often), the catalog titles didn't even work right, then you're stuck with no alternative, and a new, expensive doorstop.

Suffice to say, I now use Windows.

Re:Already exists! (1)

pete6677 (681676) | about 8 years ago | (#15703343)

Good point. Not too many office workers or malware writers will install software when it requires recompiling the damn kernel!

Same thinking? (2, Insightful)

JayTech (935793) | about 8 years ago | (#15703128)

Isn't this the same exact thinking behind the TCPA planned by Microsoft & Co? Where only "licensed" software would be allowed to run? Doesn't sound like a bright idea to me, in fact it sound pretty scary.

Re:Same thinking? (1)

sqlrob (173498) | about 8 years ago | (#15703159)

It depends on who controls the keys.

If the vendor controls the keys, yes, it is scary. If I do, no, it is not.

Re:Same thinking? (1)

vegetablespork (575101) | about 8 years ago | (#15703252)

If the vendor controls the keys, yes, it is scary. If I do, no, it is not.

I guarantee it won't be the owner who controls the keys. Thus, it's scary.

Re:Same thinking? (1)

heinousjay (683506) | about 8 years ago | (#15703379)

Not to cast aspersions on you personally, but your guarantee in this matter posted on Slashdot is worth the price of the bits that carried it to my screen.

Re:Same thinking? (1)

vegetablespork (575101) | about 8 years ago | (#15703387)

My guarantee is based on the obvious. Are you asking to make it a bet? How much?

Vista + 'DRM' Hardware (3, Interesting)

nuxx (10153) | about 8 years ago | (#15703130)

Huh. Imagine that... Something which can be done by having a Microsoft OS set to run only signed binaries while running on top of a 'trusted computing platform'.

As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the apps we specifically approve and sign. This would lock out all unapproved software *and* malware. If the OS is secure enough to keep there from being any ways around this, it'll be ideal.

Oh, and of course, as long as such trusted computing stuffs can be turned off for users who purchase the hardware and don't wish to use it, it's a win-win all around.

Re:Vista + 'DRM' Hardware (1, Insightful)

Anonymous Coward | about 8 years ago | (#15703273)

I expect you'll be busier than you think signing software once you get what you've wished for.

Re:Vista + 'DRM' Hardware (1)

the_womble (580291) | about 8 years ago | (#15703647)

As I've said before, this would be a huge boon to IT departments all over the place. I'd love to be able to lock users to running a signed OS only the pps we specifically approve and sign.

Why can you simply not give users admin? Am I missing something?

Its been a while since I used Windows but I can remember working at places where we had to phone IT to get stuff installed because we did not have admin. Is my memory at fault?

Re:Vista + 'DRM' Hardware (0)

Anonymous Coward | about 8 years ago | (#15703677)

The problem isn't installing stuff, the problem is being able to run something that's been downloaded. You could even copy and paste a program if you're good enough. That's how lots of malware starts to run.

dom

Too far? (1)

svunt (916464) | about 8 years ago | (#15703132)

If you're going to consider limiting users that much, why not simply disable web access or cd players, usb ports etc? I think ultimately, there are several ways to keep a machine safe from intrusion, but it's a compromise for most of us ... functionality vs security. If you want to tilt towards security, in-house systems, disabling activex controls, java, admin access etc are all effective to a certain degree, but much like your concept, sound extremely limiting. I mean, secretaries don't need any software other than pre-installed stuff? Right, what happens when said secretary needs to open an emailed document that requires a reader? It osunds extremely inflexible at a time when flexibility can be very important to businesses. If you wanted to be secure, you could also go back to paper & pencil, registered mail, and pay your bills by armed stagecoach.

Re:Too far? (1)

lanswitch (705539) | about 8 years ago | (#15703525)

secretaries don't need any software other than pre-installed stuff? Right, what happens when said secretary needs to open an emailed document that requires a reader?



Flexibility is not a problem. That emailed document will render just perfect in her web-based email. The only upgrade needed would be on the webserver.

console? (4, Insightful)

minus_273 (174041) | about 8 years ago | (#15703136)

Anyone else think this sounds a lot like the xbox 360? encryption keys and all.

Secretaries and scripts (1)

Dannon (142147) | about 8 years ago | (#15703138)

Just about every office I've worked at so far has a certain number of menial computer jobs that are unique to the job setting. And many of these menial jobs have been passed off to the secretary. And many times I've been asked to come up with a little push-button application, macro, script, batch file, or something, just to make the job easier.

And as a software developer, there's just no way a completely closed system is going to work for me....

Have had it for almost 30 years! (4, Insightful)

JoeCommodore (567479) | about 8 years ago | (#15703141)

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.

Re:Have had it for almost 30 years! (1)

moosesocks (264553) | about 8 years ago | (#15703242)

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.


Well, yes.... but the problem with the Apple ][ was that this was the sort of behaviour Woz encouraged. There was an entire industry dedicated to producing hardware devices that provided functionality that the OS would otherwise not allow.

On a more serious note, this was definitely a concession to the fact that the processors of the day just weren't able to perform many specialized tasks, which could have been otherwise been accomplished via simple circuits. By providing a ridiculously simple hardware interface, the designers of the ][ (mostly Woz) ensured that the machine could perform tasks (albeit not out of the box) that their more expsneive competitors couldn't even dream of doing. Today, this is no longer necessary, and we are gradually seeing every hardware interface controlled entirely by software, and expansion slots disappearing from desktop machines. Expansion devices today generally perform very little logic of their own.

Re:Have had it for almost 30 years! (2, Informative)

pyrrhonist (701154) | about 8 years ago | (#15703349)

Lets see the Commodore PET, Apple II and TRS-80 were pretty \much can't touch this OS without a hammer type computers.

Oh yeah? After booting Apple DOS 3.3 type the following at the AppleSoft BASIC prompt:

POKE 47616, 96
Now you can't read or write to a disk. Now that's malware!

Free karma if you can name what routine I disabled.

Re:Have had it for almost 30 years! (1)

vga_init (589198) | about 8 years ago | (#15703636)

I don't know how you got modded insightful for your comment; I have an Apple ][e sitting on my desk and there is absolutely nothing bullet proof about it. In fact, the hardware is designed to load and run software stored on a diskette immediately after the system is loaded. Since the system is stored on a ROM, there is no way to change this behavior--you call that secure by default? The software being loaded can do ANYTHING to the system at will. Nearly all DOS virii were spread this way.

Secondly, once the system is loaded, any user can access a command prompt immediately from which they have unrestricted access to all system resources: disks, memory--you name it. One wrong instruction (or right, depending on what your goals are) can corrupt the system irreversibly until you reboot, and maybe even trash some disks. Malware aside, even normal user programs do this accidentally! Once an old Tandy of ours had the file system on its disk corrupted entirely by a game. Just because the system that's being loaded off of the ROM can't be altered, that doesn't mean the system isn't extremely fragile and insecure after the ROM is loaded. Your data (the most important thing) is still at risk, and malware can have its way with you much more easily.

With more modern operating systems, scenarios like this are becoming harder and harder to imagine since usually user apps don't have this level of access, but not so with the machines you're referring to. The question posed in the article is asking for a step forward in one direction, and you're advocating 30 steps backwards.

Why not CD Boot? (1)

loony (37622) | about 8 years ago | (#15703143)

I don't quite get the point... If all apps have to be signed before install, then you have a point of attack. Intercept communications, fake checksums, attack the OS providers server, ... wouldn't be much more secure than anything else.

Wouldn't it make more sense to go back to the live cd concept... You pick everything you need and then make a bootable cd out of that. We did that 10 years ago - was a lot of work but worked great. I'm sure over the years people have written better scripts than the hacks we did back then - but basically you would make a chroot filesystem, put all your apps and do all your testing until stuff worked. Then we created a boot floppy and out of that and the content of the chrooted filesystem, we made a bootable cd. That went into the production server (a high profile site back then that drew tons of attacks) and if the box got hacked, they still couldn't do anything with it.

That way you have 100% security from the point you were looking at - while still maintaining the ability to add/remove/modify things yourself as you need them...

Peter.

An OS without any 3rd party apps... (4, Funny)

FreeMath (230584) | about 8 years ago | (#15703148)

You mean like a Mac?

The Linux base LTSP system fills the bill (1)

swaha (101157) | about 8 years ago | (#15703151)

Check out the LTSP system.
With all the applications based on the server, and no program load allowed it can be just that.
It is very popular with schools.
http://desktoplinux.com/articles/AT3124052951.html [desktoplinux.com]

Re:The Linux base LTSP system fills the bill (1)

gd23ka (324741) | about 8 years ago | (#15703562)

I checked out the pictures of the "Grace Lutheran" case study and it creeped me out. I don't
like seeing kids in uniforms.

No. (0)

Anonymous Coward | about 8 years ago | (#15703158)

Sane corporate environments don't allow users to install anything anyway. Non-root user accounts exist for a reason. Most OSes allow you to prevent executables from running from user-writable areas (e.g. in linux, mount /home noexec (see man mount)).

Your database would have to be tied to specific versions of the software to prevent new features breaking your previously cerified model. Of course, this database would prevent you from installing security fixes until the security fix was approved by the DB maintainer. You would have to ensure that the applicaitons that you trusted came from a specific source and matched the configuration that was tested, and if you've done that, you might as well supply a package format that can verify the contents and identity of the file to the database. It'd be nice if you could also provide license and dependency information, etc. Congratulations, you've just invented RPM, or APT, etc.

Re:No. (0)

Anonymous Coward | about 8 years ago | (#15703427)

Also, as pointed out by others, signed-only apps are no guarantee of security. See the X-Box's multiple software-only exploits. You only need one application to be exploitable. You can mitigate this risk but you cannot avoid it.

Why not instead..... (2, Interesting)

ezratrumpet (937206) | about 8 years ago | (#15703190)

....limit a machine to only outgoing traffic? That would let you use an office suite and send (but not receive) email.
 
Downside: you'd have to use a CD or flash drive to transfer documents on/off the machine. You couldn't receive email on the machine.
 
Upside: The only security risk would be by direct access.
 
Actually, the most secure machines probably aren't even password-protected. If the machine isn't attached to anything but a power cord, and the machine itself is inaccessible, then you've got a secure machine. If you're running Win3.1 or something, it might DIE, but it would be a secure death.

Come and get your nice, big wooden horse... (1)

babbling (952366) | about 8 years ago | (#15703832)

What happens when a connection that you initiated results in you getting infected with malware that initiates connections rather than listening for connections?

For example:
- LiveJournal ads recently had problems with an advertiser setting their ad to some malware.
- MySpace videos very recently had problems with videos containing malware.

as a software developer... (2, Insightful)

Xtifr (1323) | about 8 years ago | (#15703192)

...I would have to say no. At least not by itself. It's pretty hard to develop software if you can't install and test the software you're developing somewhere! ;)

As a component of a larger, networked system, which had parts where I could install and run the software I was developing, then yes, no problem. But alone, by itself, no, it would be completely useless.

Of course, there's still some interesting questions about this theoretical beast. Is it scriptable? I often have quick one-off tasks that are best done with a quick script. If I can't run one-off scripts, then it's not "up-to-scratch" and doesn't have "everything I need", and if it can, then it's not a completely closed, locked-down system. The only way around that, even in theory, is to have an infinite number of monkeys providing you with all the scripts you could ever need in advance, and even then, there's probably be some difficulty finding the script you need right now from that infinite number of scripts. (Not to mention the costs of the infinibyte drives needed to store all those scripts.)

Bottom line, I think the notion of a machine that does "everything I need" is about as realistic as those old concepts of an irresistable force or an immovable object. Nice for creating logical paradoxes, but completely silly otherwise.

Good idea (1)

mnmn (145599) | about 8 years ago | (#15703196)

Its a good idea, only it already exists. Kinda.

Take any Windows Linux or OSX system, and lock it down till its just a kiosk.

There you go!

This is also doable with a windows98 installation onto a CD. Knoppix comes to mind for Linux. I've also tried setting up a kiosk like graphic OS to go onto a compactflash card that acts as an IDE device. I needed newer apps too many times on it.

See, a FIXED OS needs to be configured seperately for each system since noones requirement is the same as anothers'. QNX, Windows CE, PalmOS and ucLinux come to mind. But Windows 2000/XP etc will work too.

Did you mean an OS DESIGNED that way? The act of installation is managed by the libc and scripts to place it in the right folders. Take away the permissions and remove the scripts that do the installation (Windows Installer) and you're there. Theres nothing more to redesign in the libraries or kernel.

It would be great if we didnt have pesky choices (1)

Gothmolly (148874) | about 8 years ago | (#15703200)

You know, all the products in the supermarket are really distracting. What I crave, as a product of modern USian culture and educational systems, is less choice. Why should I have to decide what to do? Surely someone could pick all the useful things for me. Maybe there could be some kind of vote, where we could all just agree to use what everyone thought was best. That would be a perfect world, with no cutthroat competition or need to worry about the future. Shouldn't I be free from worry and uncertainty?

real solution would be (1)

josepha48 (13953) | about 8 years ago | (#15703231)

more of a diskless system.

You would have the OS installed on a flash memory drive. Either its in the system ( embedded like ) or its a plugin card like sd stick. Read only though. You have memory that you can use as program running space. You can save data to external system like flash drive.

Lastly, you would run applications from a second flash drive.

Think of a linux on cd kind of system ( or other os 0 with no hard drive, and you save your data on a flash drive. All programs are on the cd. You can only read and save data to the flash drive, but not run programs from it. You'd have to remove the command prompt, and a few things from a linux distro to do it though.

You still have to worry about phishing. (1)

Inoshiro (71693) | about 8 years ago | (#15703240)

Unless your system is 100% proven for all inputs (of the input classes you are using), there is the possibility that an attacker can feed an input for which your program's state machine does not halt (and, instead, goes into other states, perhaps escalating privileges or otherwise doing anything).

So this means you either have completely disconnected systems, or you only use things like Spin [washington.edu] which are provably correct.

*groan* (4, Insightful)

voice_of_all_reason (926702) | about 8 years ago | (#15703280)

...it could be highly useful for example in the corporate setting...


Oh, for fuck's sake! Don't give them any more ideas.

The extra cost of technology staff and the risk of a shittastrophe are nothing compared to abysmal employee morale. If you don't let 'em stroke off for a few minutes a couple of times an hour by going to ebay or playing snood you're going to end up with a resentful staff. And they'll produce awful, crappy work for you.

Re:*groan* (2, Insightful)

dosius (230542) | about 8 years ago | (#15703645)

Employer: That's not what I fucking hired them for, they're here to work for me.

Me: I would leave the internal network detached from the Internet and remove all external sources of input except the keyboard/mouse, and put the OS on something read-only. Nothing gets in, nothing gets out. Works for work, not for play.

-uso.

Re:*groan* (0)

mOdQuArK! (87332) | about 8 years ago | (#15703860)

Employer: That's not what I fucking hired them for, they're here to work for me.

Employee: "Employer is an asshole. I hate this job. I wonder how much I can slack off without getting fired - hell, even if I get fired I'd be just as happy. I wonder if Employer knows about Joe embezzling company funds? Hell, it's not my money...who gives a damn about that asshole Employer, serve'm right to go bankrupt..."

Any employer with the attitude you have described is basically incompetent, and will receive the quality of services from their employees that the employer deserves.

What is so great about "OS-maker"? (1)

Sloppy (14984) | about 8 years ago | (#15703300)

I think it's fine (in some situations) some some central authority to be the one who decides what can be run on their computer.

What I don't get, is why the "OS-maker" would be that authority. Look at just who happens to be the OS-maker with the greatest marketshare, and ask yourself: should someone with that repuation for [in]security, be the one who is in charge? They practically invented the concept of having browsers that automatically install malware and media-insertion that installs rootkits.

Locking down computers? Maybe a good idea. OS-makers locking down computers? Sounds like putting the fox in charge of the henhouse.

Video game consoles (1)

philmack (796529) | about 8 years ago | (#15703301)

Video game consoles have been doing this for a long time. What you describe is exactly what an Xbox is... a computer with an operating system that only allows the user to run signed code (unless the users "get around" it... to show how viable this idea is) while only allowing the user to save documents.

Re:Video game consoles (0)

Anonymous Coward | about 8 years ago | (#15703328)

Likewise for the PS3. Then again Xbox is worse as it is in the ROM and in the OS while the PS3's is in the level two OS (a guest OS to the hypervisor OS).

Why? (1)

aoteoroa (596031) | about 8 years ago | (#15703350)

It sounds like going overboard to solve the problem. Like designing a house to be hurricane proof when you are building in Oregon.

Linux has long had the ability to be installed on read only media. So your dream system already exists.

Even windows provides enough security to solve the problem. Running as a standard user I feel my windows computer is fairly safe from browsers, rootkits installing themselves from audio cds, and loads of other shady software.

It's a bit of a hassel sometimes. I moved from one timezone to another and can't change the time on my computer's clock. It's been about 8 months now and I still haven't bothered logging in as administrator to change the time.

Xbox? (1)

ka9dgx (72702) | about 8 years ago | (#15703357)

Isn't this exactly what the X-box is? A closed, locked down system... which totally prevents the execution of third party applications. [xbox-linux.org]

Of course, it's not secure if anything running anywhere has the ability to modify the system files.

--Mike--

Too simple a model (1)

0biter (915407) | about 8 years ago | (#15703367)

This model is predicated on, I think, a fairly simplistic conceptualization of software. It seems to assume that one can draw clean borders between pieces of software, ie., that a webbrowser, a wordprocessor, or an image editor is a discrete unitary entity. The reality is quite far from the truth of plug-ins, extensions, proprietary data formats, competing standards, and the inevitable need to communicate with an external world that is constantly changing.

Not on my PC (2, Insightful)

egarland (120202) | about 8 years ago | (#15703386)

I have no problems with this setup if the computer is my Cell Phone. My PDA could be setup to only run signed apps, that wouldn't bother me much. But my PC isn't really a PC without the ability to accomplish arbitrary tasks.

The concept is also flawed. Just because something isn't an executable doesn't make it not contain instructions that tell your computer to do something. Word macro viruses is a great example of this kind of problem. It's just a simple word processing document.. but it can also be a virus. The .mp3 and .jpg buffer overrun bugs are great examples of this too. A format that doesn't even include programability can be used to induce your computer to do something against your will.

This is not the answer to computer security.

Here's my solution. It's pretty simple. (0)

Anonymous Coward | about 8 years ago | (#15703393)

I dual boot Linux and Windows.

I use Windows on the rare occasions I need it but Windows is NEVER connected to the Internet. Linux is.

Problem solved.

Seriously, this has worked well for me for several years now.

Sounds familiar... (1)

Arceliar (895609) | about 8 years ago | (#15703441)

You know, I think I have a computer made like this. It only runs software provided specifically for it and signed by the vendor's company. It's called an X-Box, and I use it to run linux. *Evil laughs*

Seriously though, think about it, that's essentially how the recent generations of game systems have gone. Specialized hardware with software built for one purpose, signed by the vendor so as nothing else can run. And as xbox-linux shows, there will always be ways to circumvent this without direct access to the hardware.

My advice would be steer clear of an actual livecd/dvd itself, due to the significantly reduced speed of such a system. In the case of linux, just go with a setup where the majority if not all of the filesystem is read-only to the user. Or beyond that even, have the main filesystem contain a loopback read-only filesystem. A great example would be Damn Small Linux, it can copy the disc image to the harddrive and it doesn't take a lot to set up a kernel to read from that on boot. And in that particular case, DSL is modular, so adding approved software doesn't take a lot of effort.

Another potential candidate would be something like dyne:II, similar to DSL in it's live and extensible nature, but it has a much larger software library to choose from by default.

Of course, users will always need to save their doccuments and such somewhere. Retaining the ability for a less-than-computer-literate user to perform basic tasks such as saving the vacation photos of their grandkids in an email attachment, while keeping the rest of the system closed off but still functional, can be quite difficult to do without accidentally leaving a door open which could let in something potentially malicious.

But then again, what is life without risk?

GPL 3 (1)

Plautius (626357) | about 8 years ago | (#15703442)

So, I'm not meaning to troll, but a likely implementation is some sort of signing of the code that would be allowed to run and someone would have to hold the private keys. Is this against the terms of GPL 3? Would this be effectively like a DRM technology? My understanding of GPL 3 is mainly based on the threads on linux-kernel where Linus explains why he thinks that GPL 3 would be bad for linux. It would be interesting to see if one could have a slightly more flexible system where I could allow sign the code I allow as a method of virus prevention. Usually Ask Slashdots are pretty OT but I find this one fascinating.

Do you understand? (1)

Spazmania (174582) | about 8 years ago | (#15703522)

Do you understand the Secretary's job? I mean really understand it, the official and unofficial parts. Do you understand it enough better than she understands it so that you can build a computer that does all of the things she needs and wants it to do? And don't forget, it needs to do everything her boss decides she needs to do with it.

I'm not -that- smart and I'll bet that you aren't either.

There are places where a closed OS works. Think wireless router or Internet appliance. But the desktop? Not so much.

Symbian OS 9.1 for cell phones. (2, Informative)

S3D (745318) | about 8 years ago | (#15703552)

Symbian OS form v9.1 is very close to be "Closed OS" (pan intended). If application use any "capability"(for example camera API) - any but most basic functions, it should be signed - endorsed by "test house", which have license from Symbian itself. Third party applications still possible, but only from certified developers. So if Symbian v9.1 will be any success there will probably be more closed OS in future.

Application signing is not a silver bullet (1)

bit01 (644603) | about 8 years ago | (#15703625)

There's nothing special about application signing. Making your existing read-write partitions and any mount no-execute is the equivalent of saying all existing applications are signed and no others are and would solve this problem.

Application signing can be compromised just as much as the above. If done properly it does give an extra layer of protection.

You might say that one difference is that application signing can be done remotely so that the owner of the computer loses control but that's no different from the owner not having the root/administrator password.

Both can be compromised by physical access to the hardware though TCPA does try to make access to the key hardware hard.

Application encryption can block the owner from executing anything the encryptor has encrypted but that still requires the keys to be obtained from somewhere when the application runs, either the net or embedded hardware, and there is a potential hole if the owner can capture those keys.

---

Unregulated DRM = Total Customer Control = Ultimate Customer Lockin = Death of the free market.

Executable Management (1)

Constellation (125410) | about 8 years ago | (#15703696)

You are indirectly referring to the concept of executable management. The central idea here is to only allow trusted programs to run on the system. Under such a scheme the kernel would have a list of allowed programs (and libraries) complete with MD5 hashs etc. (to establish a chain of trust). When a program is executed the kernel would calculate it's MD5 sum (and sums for anything else that is loaded into memory) and the calculated sum isn't on the list then the program is not allowed to run. Under this scheme the users could "install" anything that they want on the system, but if it's not approved it doesn't run.

While a system like this would keep "bad" software from running on the system it is not a silver bullet (nothing ever will be), as someone will find ways around it. For example using an exploit in an allowed application that is already running.

There are also a couple of big limitations here, or with any system with the restrictions that you are asking about. First someone has to keep a list of the allowed applications, an update it regularly. This should be someone like the corporate IT department, it doesn't make sense to put the burdon on the OS vendor as you want the minimum set of applications on your systems and the OS vendor want the maximum set. Secondly this completely breaks software development, for obvious reasons.

I don't currently know of any operating system that implements these features.

Should be possible with Linux. (1)

Karellen (104380) | about 8 years ago | (#15703699)

Hmmm...with Linux, the only places that regular users can write to anyway is their home directory and /tmp. They need write access to those areas to be able to save stuff. Unfortunately, we probably can't stop them creating or downloading executables to those areas.

However, mount(8) has a great option - "noexec" - that can be used to prevent files from any partition being executed. If you put restricted users' home directories in /nxhome (no execute home) and mount /nxhome and /tmp as "noexec", that would probably do the trick.

mount w/ noexec (1, Redundant)

Door-opening Fascist (534466) | about 8 years ago | (#15703709)

You can mount filesystems with the noexec flag, which will prevent files from being executed. Have user directories mounted like that, and just have executables where users can't write to.

Always loopholes (1)

Spudley (171066) | about 8 years ago | (#15703752)

There will always be loopholes in every system.

To (mis)quote Morpheus, "It's a system, and like every system, it has rules. Some of those rules can be bent; others can be broken."

No matter how tight you try to make it, the malware writers will always find a way around it. They may use scripting systems (even this hypothetical closed system would need some sort of scripting capability), or they may find a way to circumvent the lockout mechanism, or any number of other unpredictable ways to get in.

Complete security is a fallacy.

Thin Client (1)

dltaylor (7510) | about 8 years ago | (#15703756)

In a corporate world, most users should have nothing but a thin client (without USB or FireWire ports). Not only can nothing be installed, but they can't "appropriate" any data, either, if the email outbound filtering is working. Data loss when a desktop crashes is minimal-to-none, with the data on an IT-maintained server. Thin clients CAN be built from diskless boot PCs, but it is often simpler to just buy them than do the research to figure out exactly which packages to build into an initrd image to support your corporate app's. It used to be possible to build diskless M$-Windows systems, but I won't have XP, so I don't know the limitations of it's ramdisk. One trick we used to use on di*kless Sun workstations after disk prices came down was to use a disk for /tmp and swap, rather than the networked drives. 'Could probably be done today with some CompactFlash socketed into an IDE port (something like this: http://www.acscontrol.com/Index_ACS.asp?Page=/Page s/Products/CompactFlash/IDE_To_CF_Adapter.htm [acscontrol.com] ).
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...