- You're really a Microsoft shill, aren't you?
- But Microsoft did pay you, right?
- You hate Linux, though?
- And you think we should all use Windows?
- I am surprised you didn't mention UNIX security. What do you think of capability-oriented systems?
- You criticize UNIX and say that Mach has some features it lacks, but isn't Mach a form of UNIX?
- Putting wildcard expansion in the shell isn't a bug, its a feature.
- You advocate message passing microkernels, but aren't they really expensive?
- With what do you propose we replace UNIX?
5. I am surprised you didn’t mention UNIX security. What do you think of capability-oriented systems?
Every so often someone sits down and says to himself, "Security isn’t complicated enough. What would be really good would be if no one understood how to do it properly."
One thing the Windows kernel does really well is security. Every single object has an associated access control list, which allows fine-grained access control to pretty much anything. The average user’s response to this is to decide it’s too complicated to understand, and that the simplest thing to do is set everything to full access.
UNIX, in contrast, has a very stupid security model. File permissions are simple, and many other things are very coarse-grained—you are either root, or you can’t do them. Some more complicated things have been built on top, but often these get disabled. In spite of this, UNIX systems remain more secure.
Someone will, no doubt, point out that VMS has a similar security system to Windows, and an even better security record than Windows. I would argue that this is due to three factors:
- VMS administrators tend to be more experienced.
- VMS is a much more mature code base than most other systems.
- Very, very few crackers would know what to do with a compromised VMS box if someone gave them one, so they don’t even try.
My current favorite UNIX system is OpenBSD, which has a reputation for security. Part of the reason for this is that they have an aggressive policy of code review. Another, more significant, part is their attitude to security, which can be summed up by their slogan "Secure by Default." If the user is required to do anything to secure the system, then it’s not secure. If the user is required to unsecure the system in order to use it, then it is not secure.
Designing a good capability-oriented security system is typically viewed as an operating systems problem. It is not. Capability-oriented systems have been around for a while. Even UNIX is getting similar features in the form of things like TrustedBSD, Trusted Solaris, and SELinux. The real problem is designing a user interface that is both easy to use and doesn’t encourage the user to just click OK when a random piece of malware asks for all permissions. Until this problem is solved, I am skeptical about capability models, and very few people in the capability community seem willing to admit that the problem exists, let alone address it.