Saturday, September 6, 2008

The iPhone, Legacy software and modern computer security

The problem with most common security models is that they are based on a security model that was developed many years ago for mainframe computer systems in an environment where, in general, the user was the distrusted element and not the process.

The user based security model that Unix and Windows offer today is actually nearly useless in the face of the real threat.

Traditionally in large mainframe systems it was the user that was seen as the threat, everything on the system was backed up on a regular basis and software in general did not tend to travel far enough, fast enough, to be much of a vector.
Because the user was seen as the potential source of trouble, they were given 'sandbox' environments known as 'user accounts' in which they could roam freely but not easily leave without demonstrating that they had the right to access other parts of the system.

On a modern PC, we all have documents, pictures and other personal files that we do not want to lose in the case of a problem, yet very few people outside of the IT community actually have backup systems in place, and nearly everyone stores those documents and files within their own user profile - the same user profile within which they run software they download from the internet, mount drives other people give them and generally take insane risks on.

The threat in this modern age is from the process and not the user. With password protected access the user can be assumed to be trusted to a reasonable extent, burglary victims aside, whereas a lot of software cannot.

A seemingly obvious solution to this is to place each application within its own 'user' space, treating them in the same way as Linux, Mac OS X and Vista currently treat individual users, with their own limited file access.

...and the iPhone does exactly this. Each individual iPhone application is limited to its own set own of folders, and has no ability to look outside them or to open or alter documents in other areas of the file system.
There is a single shared area, where the user can choose to place files for which that makes sense, but fundamentally each application is being given its own user space in exactly the same way that users are on other operating systems.

It is an interesting step forward, and one that I do expect to see appear on mac os x. The most likely initial implementation is as a 'sandbox' environment in which untrusted applications are run by default, with the user having the ability to move them outside of that environment once they are happy.

No comments: