[cap-talk] Windows Vista: security by admonition

[David Hopwood]

Micah Brodsky wrote:
> The example we've been talking about is an interesting case, though.
> Rather than administering the user's ordinary privileges, UAC is about
> administering extraordinary privileges, those that modify global system
> state. These are privileges beyond the ordinary needs of users, and from
> this perspective, it makes little more sense to grant them unconditionally
> to the user's shell than it does, for example, to grant the user's full
> privileges to a web browser. Instead, by going out of band to a very
> compact, trustworthy broker to request particular privileges in the rare
> cases they are needed, a lot less code needs to keep administrative
> privileges around.

Regardless of what "extraordinary privileges" a shell has, it is already in
the user's reliance set. There is no possibility of building a secure OS
without a secure shell (or shells).

Just look at it from an attacker's point of view: given control of the shell,
can you do anything you want regardless of any UAC-like mechanism? Yes, almost
certainly.

If any UAC authorizations are needed, you have so much control over the context
presented to the user, that a social engineering attack to make it look as
though they are authorizing something harmless is quite feasible, even if the
UAC dialog contradicts that. But you probably don't need UAC authorizations,
anyway.

I take the point that Vista's UAC is only attempting to approach the security
level of Unix, but this argument applies to any OS.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>