WindowBox, a simple security model for the connected desktop Dirk Balfanz, Dan Simon Summary: Security techniques fail on PCs because security mechanisms are improperly applied. (Or, it's the policy stupid...). The authors propose a security model based on complete separation using the multiple desktop features of Win2k. Main points: * End users don't understand security policy, but they do understand the idea of complete separtation. That is, a machine that is completely isolated is "secure". * ACL based schemes are tedious at best. Systems typically resort to defaults that are applied independent of context. * Designing a user interface for expressing security policy is extremely difficult. Multiple isolated desktops is an approach to this problem. * Implementation: each desktop is associated with a user group (Alice.Personal, Alice.Fun, etc). Applications cannot access objects outside their current user group. Desktop applications can also have restricted network access. Weaknesses: - This work does not address the problem of buggy OS implementations. - It isn't clear how this work protects insecure privledged services (sendmail, fingerd, etc.). For example, no attempt is made to prevent applications from launching setuid programs - Windows maintains global state (e.g., the registry) that can be used to subvert security (mumble, "least common mechanism", mumble) - The screen itself is common mechanism that could be subverted. For example, a malicious application could paint a different desktop in the background. - No notion of managing resources here. Denial-of-service is not considered. Bottom Line: The threat model here appears to be running untrusted executables like email attatchments. WindowBox's ability to protect against system breakins is dubious. The presence of win2k under the hood is a liability.