Does root really matter?
Lately, I’ve been convinced that the key to better security was better user interfaces that enable the user to evaluate the consequences of what he is about to allow some code to do. There have been numerous attempts at this (eg Microsoft UAC), with some implementations panned by critics more then others, but I’m beginning to think that all of these implementations are ineffective because they protect the wrong thing, that is they protect root. But does root really matter to bad guys?
The UIs we have seen so far only protect the most-privileged user account, known as root in the UNIX world and Administrator in Windows. For most people, security means protecting their personal information and stopping their computers from being slow. Perhaps the more altruistic computer users also hope their computers are not being used for nefarious ends, like sending spam or redirecting child porn. (I take this premise from the UMD Cybersecurity lecture given by Stefan Savage, who I hope I am not misinterpreting.)
But all of the things bad guys want to do with our computers can be accomplished using the least privileged user level. Personal information stored in browser profiles obviously stays within the context of that user. Sending spam is easily done because any application can open a port to the SMTP port (it’s only root where you need to open a listening port under 1024).
So I wager that things like UAC are ineffective, and possibly harmful because they help condition the user to click Yes to every box that pops up.
I’m more optimistic about sandboxing and granular privileges, similar to what Android has (and my friend says iPhone has the same thing).
Another friend turned me on to Windows’ Mandatory Integrity Control, which gives three privilege levels instead of the usual the binary choice between root and unprivileged account. One of the side effects of this change was to limit Documents to the medium privilege level, meaning code executing on contexts at the low level (which include the IE, Chrome, and Acrobat renderers) can’t access users’ documents. A good idea.