Contrasting the authority of code in different Architectures
Here are some points where a capability architecture limits the authority of code so as to limit the impact of compromised or malicious code.
- Of conventional systems, Unix is probably the most limiting of authority that code wields.
- The several megabytes of kernel code runs with total authority.
It is widely reviewed.
- Kernel drivers also run with total authority and are not so widely reviewed.
- Deamons listen for signals from comm networks such as Internet.
Many deamons run with root authority which is equivalent to the kernel’s authority.
The deamon is typically designed to serve some user of the system once the user has proven his identity with a password or such.
This requires the deamon to run with the combined authority of all of the users until the identity is established.
Most deamons retain that combined authority even after the user is identified.
- Many applications run with only the authority of the user that invokes them.
All of the user’s private data is at risk from a malicious application or an application he runs that has been subverted by a virus.
The program has the authority to read any data that he can and also the authority to send it on the Internet to arbitrary places.
- The web server can be installed in Unix just in one of two ways, either of which has unfortunate consequences:
- Either the server runs with total authority (root) which may be abused by any flaw in the rich interface web servers must support.
- Or the server runs with the authority of an artificial user but then cannot limit further the authority of the cgi scripts that it launches.
All cgi scripts controlled by one server have thus the combined authority of the other scripts at that site.
Many web servers host many independent, even competing sites.
- Windows NT has approximately the same model as Unix, and the same problems.
The default mode for windows is for users to run with root privilege and thus subverted applications that on Unix could destroy only one user’s data, can destroy the whole system.
- Mac OS X from Apple defaults to the user running without write access to the system.
- Mach subdivides the Unix kernel so that a flaw in the file system cannot be used directly to subvert the Internet security apparatus.
A flaw in the file system logic in Keykos affects only the user whose actions expose the flaw.
Where in Mach the flaw can be used by one file system user to access other user’s flaws,
in Keykos the flaw is indeed limited to the user’s own data.
By contrast a Keykos system provides authority to programs that is very much smaller than even Unix or Mach.
In contrast to the Unix kernel the Keykos kernel is perhaps 250 KB in size.
Keykos has about as much code with ‘root access’ outside the kernel as in.
In Unix much more code with root access is revealed by the shell commands
“ls -lL /usr/bin /usr/sbin | grep -e -sr” and
“ls -lL /usr/bin /usr/sbin | grep -e wsr”.
Another difference is that much administrative work in Unix requires the user to run with root privilege.
This means that even those utilities that have no need of such access have it when used by the administrator doing such work.
Even correct and uncompromised code may become a confused deputy when it acts with various sources of authority.