[cap-talk] More Heresey: ACLs not inherently bad
Karp, Alan H
alan.karp at hp.com
Thu Oct 2 16:47:42 CDT 2008
Shap wrote:
>
> > There is no fix because the system is running the way it was designed
> > to run.
>
> This is not entirely clear. Setting aside that any correlation between
> behavior and design intent in something the size of Windows is an
> accident, I agree only partially. The interesting question is whether
> interposition might recover enough control to manage the sort of
> problem
> that you identify. There is some evidence that the answer is "yes".
>
All our current operating systems are designed to run processes in the account that started them. While you can do setuid on Linux and runAs on Vista, which is the way I run IE, it's too inconvenient for most people.
Interposition would indeed work and is feasible on Linux. We looked at doing it on Windows, and the task looks overwhelming. There are something like 1,000 calls into the win32 library. While there are only some 200 in ntdll, they are poorly documented. (Info at least 10 years old.) To make matters worse, a system call is made with an assembly language interrupt instruction, which means that an attacker who can execute arbitrary code can bypass any interception.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list