Forgot your password?
typodupeerror
Unix Google Security Technology

New Sandbox Framework For Chromium Released 109

Posted by Soulskill
from the spicy-security dept.
Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."
This discussion has been archived. No new comments can be posted.

New Sandbox Framework For Chromium Released

Comments Filter:
  • Chromium Browser? (Score:2, Insightful)

    by Flea of Pain (1577213)

    Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Chromium is the community project from which Google Chrome is derived.

    • Re: (Score:3, Interesting)

      by xMilkmanDanx (866344)
      The browser. TFA states somewhat incoherently that it isolates javascript execution and if google is using javascript in their OS, their not google.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?

      Last line of the summarized article:

      he researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."

      Third link from Google, third party description.

      Chromium Web Browser [wikipedia.org]

      I'm relatively new here. Is this how most people are on this site?

    • by bhcompy (1877290)
      While I can't decipher what this article is referring to in particular, Chromium is the base for Chrome. Think of it as the development platform. Everyone should be using Chromium instead of Chrome because Chromium doesn't have the built in usage tracking that Chrome has
      • You mean, the usage tracking which can be turned off with a single checkbox? And that's somehow harder than, say, installing ffmpeg and friends to get video working in Chromium?

        • by Raenex (947668)

          The real problem is Chrome is not open source. It's a proprietary, binary blob that is based on open source. If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.

          • by bhcompy (1877290)
            Which is the crux of the problem. I don't want or need google's tracking built in(among whatever else they have in it) even if I have the option to turn it off. Chromium works fine, Chromium Updater exists for updating it, and it works very well.
          • If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.

            Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight. And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?

            Now, consider the unfortunate alternative -- if Chromium was the only version, there'd be a scary process -- no matter how streamlined, it'd still have to present the user with scary legal warnings -- to get h.264 working, which, unfortunately, is needed for good HTML5 video

            • by Raenex (947668)

              Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight.

              Actions speak louder than words. Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering. Trusting Google because of their motto is ridiculous.

              And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?

              What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols? That would be a major pain in the ass, even if the two binaries w

              • Re: (Score:3, Interesting)

                Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering.

                Microsoft's evil also involves outright lies, and the concept of "FUD" was pretty much invented, I suspect, to describe Microsoft.

                Google, by contrast... "Big Brother"? Have you read 1984? Google likes to gather information, yes -- and like Facebook and everyone else, they only gather information from people who willingly donate said information, or from information already in public spaces.

                Unlike Facebook and everyone else, they have a track record of, in the very worst example I'm aware of (wireless snoopi

                • by Raenex (947668)

                  Google, by contrast... "Big Brother"? Have you read 1984?

                  Yes I have. Obviously the current situation isn't like the brutal dictatorship in the book, but the information gathering is getting there. Not a camera in your home, but spying on all the sites you visit.

                  they only gather information from people who willingly donate said information, or from information already in public spaces.

                  "willingly" would be opt-in, instead of having to opt-out. How many web sites use Google Analytics? Google also owns DoubleClick.

                  by accident

                  There's nothing accidental about collecting all this information (ignoring the wireless case), which once collected, can be abused. If they get a National Security Letter they wi

                  • "willingly" would be opt-in, instead of having to opt-out.

                    Which is precisely how this functions.

                    How many web sites use Google Analytics?

                    How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them? If you don't trust a website to not use Google, why would you trust that website with the same information?

                    If they get a National Security Letter they will have to comply with it.

                    They have publicly fought government requests for information.

                    If a rogue employee decides to misuse the data, it's done.

                    And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.

                    It's completely Google's fault for requiring H.264. They could always fall back to another format.

                    At what cost? Either massive amounts of CPU to trans

                    • by Raenex (947668)

                      How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them?

                      And who actually consented to a massive, collusive information gathering program? People are just browsing normally for other reasons, not to be spied on. They have to go out of their way to avoid this spying. That's why it's opt-out, and not opt-in.

                      They have publicly fought government requests for information.

                      Very well, but they could always lose in such a suit.

                      And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.

                      Whatever procedures they have in place, the possibility is there. And how do you know it doesn't actually happen at Google? How many years was Facebook around before you heard about data breaches? And what abo

                    • And who actually consented to a massive, collusive information gathering program?

                      You did, with every website you visited -- though I have to wonder where you get "collusive" from.

                      People are just browsing normally for other reasons, not to be spied on.

                      And people are just typing into Facebook for other reasons, not to be spied on. It's still entirely your choice to play or not to play.

                      They have to go out of their way to avoid this spying.

                      Connecting to any given website is already your action -- you're already going "out of your way".

                      Very well, but they could always lose in such a suit.

                      Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.

                      Whatever procedures they have in place, the possibility is there.

                      In the same way that,

                    • by Raenex (947668)

                      You did, with every website you visited -- though I have to wonder where you get "collusive" from.

                      A huge number of 3rd party sites agree to give Google data on your browsing habits. People are just trying to live their lives normally -- the web is just part of the basic infrastructure. Web sites don't prominently display their data collection activities. Most people are not technical and don't understand stuff like Google Analytics. This is a massive, data sharing program without informed consent, and Google is the ring-leader.

                      Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.

                      They're evil for collecting all this information where it can be misused. The

                    • Web sites don't prominently display their data collection activities.

                      Many have "privacy policies" -- how prominent would be prominent enough?

                      Most people are not technical

                      Yes, and whose fault is that? The information they would need is readily available. Alternatives exist.

                      Maybe I'm being insensitive here, but I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer -- that they need to be protected from themselves. The entire antivirus market currently thrives on this assumption, when the single best w

                    • by Raenex (947668)

                      Many have "privacy policies" -- how prominent would be prominent enough?

                      You have to visit the site before you can even read the privacy policy. And who wants to read a bunch of legalize just to browse the web?

                      Maybe I'm being insensitive here

                      Yes, you are. You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy. It's as if every business you visited in public decided to identify you and report your whereabouts to a central party. That's fucked up.

                      I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer

                      I care about privacy, I'm technically literate, I avoid cookies, and browse with NoScript. However, even I

                    • You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy.

                      And where did I say that?

                      It's as if every business you visited in public decided to identify you and report your whereabouts to a central party.

                      Do you use a credit card? They do.

                      Expecting the average citizen to keep up in a technological arms race...

                      Not particularly -- pick a few reputable sources [eff.org] and follow them.

                      Regarding Flash cookies, well, the simple/paranoid approach is to not install Flash, or any third-party proprietary plugin, without good reason.

                      Then fuck 'em. Visitors using those browsers can get the old Flash version.

                      That's not "fuck 'em", that's "oh shit, now we really do need to keep two versions around."

                      YouTube is big enough that they can dictate the terms here.

                      And yet, even you don't seem to be suggesting they can -- you're suggesting YouTube spend huge amounts on disk space, bandwidth, CDNs, etc, to keep both

                • by lennier (44736)

                  Since I don't particularly care about obeying software patents covering codecs and file formats,

                  Because I live in New Zealand, I'm legally allowed to do this - but if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?

                  Mass civil disobedience might indeed be the appropriate response to broken software patent law, but if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?

                  Or you could just avoid using the broken patented technology. Seems easier to me.

                  • if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?

                    It is -- so I call it civil disobedience.

                    Except it doesn't require lawbreaking. I have a copy of Windows 7, which includes an h.264 decoder. I have an nVidia video card, which includes a hardware h.264 decoder, and a Linux driver for it. Both of these are bought and paid for, including all licensing fees.

                    So, if Firefox just used what my OS already had available -- if it just hooked into GStreamer, DirectShow, CoreVideo, etc -- it would Just Work, and it would be entirely legal. They refuse to do this.

                    if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?

                    Not wi

                    • by CTachyon (412849)

                      if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?

                      It is -- so I call it civil disobedience.

                      Notwithstanding your comment about how you already have a patent license through other means, "civil disobedience" isn't the same as "doing it and not getting caught". In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law. DeCSS in your .signature is civil disobedience, downloading a gray-market codec from a non-US APT repository is mere

                    • "civil disobedience" isn't the same as "doing it and not getting caught".

                      Oh, I agree...

                      In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law.

                      I suspect the public is too lazy for that to really work, but I'm also too lazy to make a huge public show of it. However, I make no secret about the fact that, for instance, I crack DVD copy protection, because my only other options are to boot Windows just to watch a DVD, or revert to an absurdly old version of Ubuntu that I got from Dell which (I think) came with legal copies of the relevant codecs and an approved player.

                      In other words, I'm not marching the capital steps with a movie playin

    • Erm, what? (Score:5, Informative)

      by SanityInAnarchy (655584) <ninja@slaphack.com> on Friday August 13, 2010 @03:44PM (#33245614) Journal

      Chromium is the open source version that Chrome, the proprietary browser, is built on. (Basically, they take Chromium, add codecs they can't legally include in Chromium, maybe a little branding, and release it as Chrome.)

      The same is true of the OS -- the only reason it's "Chromium OS" is that the actual "Chrome OS" hasn't been released yet, because the community version isn't done yet.

      • I see. Thank you very much. I was unaware of this distinction and have learned something new today! Please mod parent informative.

      • It makes very little sense to sandbox the application. sandboxing should be delegated from the application to the OS. I note that mac OSX have this built into the OS, but only a few applications like xgrid actually use it. The good news is that apps don't need to be sandbox aware to be sandboxed after the fact. I saw on mac osxhints were someone wrote a sandbox config file for firefox that forces firefox to run with reduced privledges and disk access.

        • sandboxing should be delegated from the application to the OS.

          Ideally, yes, but modern OSes (excluding Chromium OS, maybe) don't always provide sufficient sandboxing, and they do it in different ways. This would be both additional security where it's needed (as well as ways for communicating in and out of the sandbox), and, hopefully, support for whatever native sandboxing options are available (it kind of needs those anyway -- Chrome already uses a chroot jail, I think).

          But what does any of that have to do with what I wrote?

  • They say that they have working code for FreeBSD release-8. It makes me wonder if there is some relationship between Capsicum and FBSD's jails, or if FBSD is just being used because it is an environment of interest with the security/sandboxing community right now.

    • Re: (Score:1, Informative)

      by Anonymous Coward

      At least two of the researchers are active in the FreeBSD project (Kris + Robert). Also Robert Watson's pet project has been TrustedBSD MAC extensions to FreeBSD since 5.something.

    • This may serve well to provide sandboxing for Android in place of Java [arstechnica.com]

  • Kinda of misleading. (Score:1, Interesting)

    by stanlyb (1839382)
    It looks like user-space extension which you have to use, if you wanna your application to be sandboxed. But what about the malicious applications which don't wanna to be sandboxed???
    • Re: (Score:3, Insightful)

      by xMilkmanDanx (866344)
      The point being sandboxed applications which deal with unknown, insecure content (i.e. the web) can keep said content from affecting anything outside the sandbox.
      • Re: (Score:3, Funny)

        by mewsenews (251487)

        The point being sandboxed applications which deal with unknown, insecure content (i.e. the web) can keep said content from affecting anything outside the sandbox.

        Until someone comes up with a specially crafted PDF... ;)

    • ... what about the malicious applications which don't wanna to be sandboxed???

      Build a launcher that sandboxes itself and then execs (or whatever) them.

  • Sounds like the permissions you specify for Android apps. That's all fine and dandy for a new platform and we all wish someone had bothered to require least privileges back in the day for our favorite OS, but they didn't. And if they had, it would have been too much work to program for anyway, so something else would have become our favorite OS. So now we have to port all our code to use a new scheme and that's far more work than anyone is willing to do. So we'll remain insecure. Case in point: selinux. Sou
  • for fuck's sake (Score:1, Informative)

    by Anonymous Coward

    "Web browsers have evolved into operating systems"

    No, they haven't, calm down.

    • Re: (Score:3, Interesting)

      "Web browsers have evolved into operating systems"

      No, they haven't, calm down.

      I think he means that they have become application environments, giving access to all the fundamental services of the underlying operating systems, through their own API and security models, with their own set of bugs.

  • Academic Foolishness (Score:4, Informative)

    by Roguelazer (606927) <RoguelazerNO@SPAMgmail.com> on Friday August 13, 2010 @03:29PM (#33245406) Homepage Journal
    These are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory. Yes, it might solve the problem that they sought to solve. But I would be very surprised to see this meet with any large-scale deployment. It's better to work with the system than to just arbitrarily decide Unix is wrong and rewrite it.
    • by Anonymous Coward on Friday August 13, 2010 @03:41PM (#33245558)

      I presume that you didn't actually read the API man pages. The interface follows squarely in the footsteps of the Unix design philosophy. No PID semantics are being changed, either. They've introduced process descriptors which, among other things, allow you to poll for process exit. They allow you to attach restrictions to descriptors, presumably so that a broker could open resources (files, sockets), restrict the allowable operations, and then pass them to sandboxed applications over a domain socket. It's all quite simple and powerful and exactly what I would love to see incorporated into POSIX.

    • by IamTheRealMike (537420) <mike@plan99.net> on Friday August 13, 2010 @03:41PM (#33245564) Homepage
      Both Android and ChromeOS are based on UNIX but neither expose POSIX as an API, so researching ways to change for the better seems like a good use of time.
    • by mcrbids (148650)

      hese are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory.

      I don't think that they are expecting people to wholeheartedly change the 30+ year old POSIX API and adopt their new developments. This is research, remember? These are students who are exploring new ways to improve security and address problems with the POSIX API. It's there, we can adopt what we want, and in the meantime, students learn examples of how to writ

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      These are major and invasive changes to POSIX

      No, they're not. They are additions to the current security model.

      An OS that has this functionality looks and acts exactly like a POSIX OS. It's up to the application program to call the appropriate APIs as necessary to properly sandbox things (and some parts of each app will potentially be sandboxed differently than other parts).

      One of the researchers involved is Robert Watson who has heavily been involved in FreeBSD for many, many years. Knowing that he's doing this reassures me that this is well thought

  • Web browsers have evolved into operating systems unto themselves

    Really? I am unaware of a (common) browser that is able to do much more than work with data...

    Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.

    • by blueg3 (192743)

      Ever since that pesky von Neumann fellow, all any computer has done is work with data.

    • Re: (Score:3, Interesting)

      by fluffy99 (870997)

      Web browsers have evolved into operating systems unto themselves

      Really? I am unaware of a (common) browser that is able to do much more than work with data...

      Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.

      There are certainly many companies out there that want your OS to be nothing more than a web browser. That way they can sell software as a service. For things like Google Gmail, Google Calendar , Google Docs, etc. Microsoft is slowly moving in that direction as well. Its much more profitable to sell based on usage or per month, rather than selling you a perpetual license. Many businesses are moving towards the desktop being little more than a terminal with the applications actually running on a central

    • Given virtualization as a concept no longer ties an OS to hardware interaction, browsers that can provide an increasingly powerful application framework are not that much removed from being an operating system. Firefox is capable of everything the old 8bit OS's were capable of and more. That is, other than provide direct hardware access.
  • ... When will we see implantations of this in Linux, *BSD, and, even, commercial Unix flavors ?
    • by micheas (231635)

      ... When will we see implantations of this in Linux, *BSD, and, even, commercial Unix flavors ?

      I believe you can patch FreeBSD 9 (current) to use this. Check the FreeBSD security mailing list for a link to the patches.

  • Y'know, I'm really glad Google wants to provide a new API for managing security. We need somebody to do this for us - somebody who really knows security, somebody who may as well have security as their middle name [nsa.gov], to come out with an API framework for Mandatory Access Controls [nsa.gov], preferably built right into th operating system kernel of a [fedoraproject.org] major [debian.org] distribution [gentoo.org].

    Yes, I'm really glad Google took the initiative on this.

    • Which is just as well, since I was torn between Informative and Funny. B-)

    • Re: (Score:3, Informative)

      by Anonymous Coward
      I know it's /. and all, but a little effort to read the paper would be nice. Or even, a stop at pretending SELinux is the solution to everything, because that was never its aim (or achievement).

      5 Comparison of sandboxing technologies

      We now compare Capsicum to existing sandbox mechanisms. Chromium provides an ideal context for this comparison, as it employs six sandboxing technologies (see Figure 12). Of these, the two are DAC-based, two MAC-based and two capability-based. ...

      5.4 SELinux

      Chromium’s MAC approach on Linux uses an SELinux Type Enforcement policy [12]. SELinux can be used for very fine-grained rights assignment, but in practice, broad rights are conferred because fine-grained Type Enforcement policies are difficult to write and maintain.The requirement that an administrator be involved indefining new policy and applying new types to the filesystem is a significant inflexibility: application policies cannot adapt dynamically, as system privilege is required to reformulate policy and relabel objects.

      The Fedora reference policy for Chromium creates a single SELinux dynamic domain, chrome sandbox t, which is shared by all sandboxes, risking potential interference between sandboxes. This domain is assigned broad rights, such as the ability to read all files in /etc and access to the terminal device. These broad policies are easier to craft than fine-grained ones, reducing the impact of the dual-coding problem, but are much less effective, allowing leakage between sandboxes and broad access to resources outside of the sandbox.

      In contrast, Capsicum eliminates dual-coding by combining security policy with code in the application. This approach has benefits and drawbacks: while bugs can’t arise due to potential inconsistency between policy and code, there is no longer an easily accessible specification of policy to which static analysis can be applied. This reinforces our belief that systems such as Type Enforcement and Capsicum are potentially complementary, serving differing niches in system security.

      • by wowbagger (69688) on Friday August 13, 2010 @05:57PM (#33246928) Homepage Journal

        Normally I don't even bother to read ACs, let alone respond to them, but in your case I'll make an exception since you are actually trying to make a cogent point.

        Security IS complex - that is why it is better to get it right in ONE place than getting it WRONG many places. Had the researchers put the effort into defining a meaningful set of security contexts within SELinux - contexts that could be used for the WHOLE SYSTEM - they could have not only secured the browser, but everything else. Instead, they took a Barbie-Doll "Security is HARD" approach, and only secured ONE application.

        The faults raised in the paper were not with SELinux itself, but rather with a specific implementation of a security policy, created by one vendor, which USES the SELinux framework.

        Personally, I'd rather see a set of security contexts and attributes:
        internet_tainted_file: this object (file) was created by a program which has accessed the Internet (more precisely, any network address not marked as trusted).
        sensitive-file: an object (file) that may NEVER be accessed by an internet-tainted-program (see below)

        non-internet-program - a program has no need to open ports outside the local network or access internet_tainted files.
        internet-program: a program which MAY access the internet, but has not yet done so.
        sensitive-tainted-program: a program which has accessed a sensitive-file, and thus may NEVER access the Internet. An internet-program may transition to the sensitive-tainted-program state by accessing a sensitive-file object.
        internet-tainted-program: a program which has accessed the Internet, or accessed an internet_tainted_file.

        That way, programs that have no need of frobbing the Internet (e.g. gedit) CANNOT access it. Programs that have touched sensitive files (e.g. /etc/shadow) likewise can NEVER touch the 'Net. Programs that have touched the 'Net can NEVER access sensitive files.

        That's just the tip of the iceberg - but getting a proper set of security contexts can not only protect the browser, but EVERY program on the system.

        And that is why I raised this point: all Google is securing is their own stuff (and only to the extent a malicious exploit cannot work around their solution, which is code in the application), rather than contributing to the greater security of the whole system.

        • Re: (Score:1, Informative)

          by Anonymous Coward

          At the USENIX talk, the authors explained that one of the flaws in SELinux, not just Chromium's use of it, was the need to enumerate all sandbox domains statically in a policy file. The approach used in Chromium, and that you describe, allows different web sites to attack each other when rendered in the same browser, since they're not protected from each other. Capsicum allows applications such as Chromium to create as many sandboxes as they need dynamically. They also repeatedly said during the talk that c

  • by Anonymous Coward

    ... there's been quite a bit of innovation on Windows security ...

    What? There has? Do you mean the way it now asks me 'Are you sure you want to give this application a chance to destroy your computer? Y/N' and if I say 'No' I can't use the application?
    I mean, if I really want to run that application I have no choice but to click 'Yes' and then if it was a virus after all I'm screwed.
    What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash

    • Re: (Score:3, Insightful)

      by Thundersnatch (671481)

      What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash or maybe just set advanced settings for that specific application to disallow it from writing to specific registry/files/network/other process' memory.

      Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.

        How? I've never got anything else except the choice to run an application or not run an application. Which is a choice I've usually already made before I run it.

        • Re: (Score:3, Informative)

          by Anonymous Coward
          He's referring to low integrity processes [microsoft.com]. It's only really exposed in the Windows API. But you can start a low-integrity process two ways AFAIK:

          1. Modify the image header. [microsoft.com] icacls notepad.exe /setintegritylevel low It will always start with the new privileges set from now on.

          2. Do runas /trustlevel:0x10000 notepad.exe to start it at whim with low privileges.

          Here's a screen capture of what happens to the latter when you try to access the user's desktop: http://i38.tinypic.com/wbs1vo.png [tinypic.com].
  • It's too much to ask of IE, though if they did a good job it would reset the bar for awesome, but won't the other major browsers just break down and host an embedded emacs?
    • by cbhacking (979169)

      Dammit, now I'm feeling bizarrely tempted to write a IE plugin that contains emacs. I have no idea why I'd want to do this; I don't even really like emacs. The idea is truly bizarrely compelling, though.

You had mail, but the super-user read it, and deleted it!

Working...