Reviewing Other Platforms
Reviewing Other PlatformsGoogle is attempting to implement its Chromium sandbox architecture in Linux, but it's not as straightforward to implement as it is in Windows. And the company will have the same problems on a Mac. The implementation requires a lot more convoluted hacking and meticulous programming, but the result is an environment in which applications can run safely without the ability to harm other elements of the system. It's the most general secure architecture out there and raises the possibility that the Chrome OS could be more than just a Web browser. Google hasn't given us enough guidance to know for sure, but it's possible that any program that runs in Chromium on a PC or Mac will run in Chrome OS. Or maybe not, since the browser is the only user interface for Chrome OS. IE Protected Mode and Protected View in Microsoft Office 2010 are examples of a philosophy that will imbue the operating system of the future: least privilege, the idea that no user or process should run with any more privileges than they absolutely need. It's not a new idea. It's been implemented for ages in Unix and derivatives, but never all that accessibly. In Windows, there have been two major problems impeding the widespread use of least privilege computing: poorly designed applications that needlessly require administrator privileges and poor support for standard users in Windows XP. Windows Vista and Windows 7 provide much better support for standard users, but legacy apps continue to present a challenge in many enterprises. If you're still compromising your security by granting users elevated permissions to allow such apps to run, you really need to find an exit strategy. It's not a feature you can use yourself, but the operating system of the future will also be better-tested. Recently, researcher Charlie Miller was able to find 20 critical vulnerabilities in Mac OS X by running a fuzzer for three weeks. Why wasn't Apple running those fuzzers? In fact, Apple is moving in the right direction in this regard, as are most OS vendors, but it's never fast enough. As least privilege, sandboxes and other techniques harden applications, attackers will move toward attacking the operating system code itself, much of which will, of necessity, be privileged. Protection of this code will be much harder, but some companies are working on the problem, including grsecurity, which develops Linux systems that attempt to reduce and manage privilege throughout the kernel.
What is available on those other platforms? Linux has a sandboxing feature called SECCOMP, which was originally designed for compute-bound utility computing environments. SECCOMP is really (really, really) restrictive: A thread running in it has access only to a very small number of system calls: read(), write(), exit() and sigreturn(). Any other call terminates the thread. This makes it really safe, but impractical for real-world programs.