Monday, September 24, 2007

FileSystem Firewall



There is a compromise security model that could make it easy for Windows users to prevent unauthorized programs (ex: malware) from reading files that they shouldn't.

There is currently a disparity between the "ideal" file system security model touted by Unix/Linux zealots, and the "practicality" of novice Windows users. The tight security model says log on to your computer as a low privileged account and only occasionally run "certain" programs as the high power administrator. The Windows user is used to logging in as a "Power User" or an administrator, and running every program with full authority. With file system security usually as the main goal, the Unix users are preventing rouge programs from corrupting or taking over their computer. Windows users typically see security as getting in the way of desirable programs conveniently auto-installing plug-ins and sometimes even working at all!

Security enthusiasts use the approach of securing with users and groups that have just enough access to regions of the file system to perform their preprogrammed function. If a program tries to step out of bounds, it will fail since the user account the program "runs as" simply was not granted access to any other region of the file system. This is a solid approach that has worked for decades, but generally requires a system administrator to setup and maintain. In the Windows world on a workstation, this would require a high degree of effort (creating dozens of accounts and groups, and assigning proper permissions to file system nodes) and is well beyond what even most power users would consider reasonable.

What is needed is an approach where the program is considered as an individual entity automatically. Consider how modern network firewalls let the user allow or disallow network access down to the application level. If a new program tries to access the internet, or a modified program attempts to phone-home... the user is alerted, and given the option to allow or block it. What if an individual application was automatically treated with those kinds of restrictions while trying to access the file system?

Programs start their lives on your system with an install. You then run them repeatedly and they might even receive updates. An uninstall may also occur. Generally this normal cycle is moderated by core APIs and known directories on the Windows platform. When considering what files and directories an application should be legitimately accessing during that life cycle, it is possible to use community submitted configurations and distribute them the way virus protection software gets updates.... but there is also another "automatic" way.

When an application is installed, the operating system can "notice" the installation directory, and automatically provide that application with full control to that directory as its "home." When the user goes to save files from the application, the operating system's common "save" dialog box could inform the system of directories or individual files that the application should have read/write access to. Registry entries associating file types to applications is also a clue for the operating system to allow special access. If all these clues aren't enough, the user could always be asked to allow/disallow, the way firewall programs do. Generally between these system clues, and profiling by the community, this system shouldn't require much, if any interaction from the end user to provide this extra layer of security.

I think there is a potential here for a solid application based file system fire-walling product. A few years ago I did the research, and I only found one defunct product that had attempted this type of "sandboxing" (with a different market and purpose). I am sure that the same consumers that enjoy the Norton or ZoneAlarm network firewall features would find the security and ease of use of this approach. In fact, I even approached ZoneAlarm with an idea to enhance their product line, but I got no response from them.

I run my PC as an Administrator, and would welcome this security enhancement. I don't want any programs but Quicken accessing my Quicken data files! In Windows, I'm basically forced into this "wide open" predicament because Windows is such a standard and productivity enhancing platform... ie: I like it, but it has problems.


Creative Commons License

No comments: