New Sandbox Framework For Chromium Released 109
Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."
Chromium Browser? (Score:2, Insightful)
Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?
Re: (Score:3, Informative)
Chromium is the community project from which Google Chrome is derived.
Re: (Score:1)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
There, there - it's all right. I'm sure everyone knew what you meant.
Re: (Score:3, Informative)
Is this supposed to be the Google Chrome browser? Or do they mean literally a browser in their upcoming OS Chromium?
Last line of the summarized article:
he researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."
Third link from Google, third party description.
Chromium Web Browser [wikipedia.org]
I'm relatively new here. Is this how most people are on this site?
Re:Chromium Browser? (Score:5, Informative)
Yes, it's considered SOP not to read TFA around here. The real hardcore don't even bother reading TFS either.
Re:Chromium Browser? (Score:4, Informative)
Re: (Score:2)
I guess that means you're not REALLY really hardcore.
Neither are you.
Re: (Score:1)
Re: (Score:1, Offtopic)
Re:Chromium Browser? (Score:5, Funny)
Re: (Score:2)
Re:Chromium Browser? (Score:5, Informative)
The REALLY really hardcore don't even bother reading the comment they're responding to
I like pie.
Re: (Score:2)
Hint, you don't need to read any comments if you get first post. :-)
Re: (Score:1, Offtopic)
OMG PONIES!
Re: (Score:1)
Re: (Score:2)
You mean, the usage tracking which can be turned off with a single checkbox? And that's somehow harder than, say, installing ffmpeg and friends to get video working in Chromium?
Re: (Score:2)
The real problem is Chrome is not open source. It's a proprietary, binary blob that is based on open source. If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.
Re: (Score:2)
This sentence is plain stupid. It's implying that people who use Windows' Chrome build don't use IE because it's closed source.
I wasn't implying that. I used Microsoft as an example of a company that wouldn't get a free pass for releasing an "open source" browser consisting of a proprietary binary based on an open source base.
Re: (Score:2)
And I am not implying that Chromium isn't a full browser. My only point is that Chrome is a proprietary, binary blob, and as such not open source. Whatever excuses Google might have for that is no better than any excuses Microsoft might put forth if they had released a similar browser. If you care about open source, then you should know that Chrome is not open source.
Re: (Score:2)
Whatever excuses Google might have for that
You mean, actual legal reasons?
no better than any excuses Microsoft might put forth
"Excuses" Microsoft has used in the past include "Open source is less secure because people can see the source."
If you care about open source, then you should know that Chrome is not open source.
Caring about open source doesn't mean I demand it for absolutely everything. The fact that Chrome is almost entirely based on Chromium tells me two things: First, that Chromium is there waiting for me if Chrome ever becomes a problem, and second, Chrome isn't likely to have anything particularly evil attached to it.
Re: (Score:1)
Re: (Score:2)
The problem ofcourse is, while it wasn't intentional, it does contain the code. :-)
http://www.osnews.com/story/23670/Chromium_Sends_Data_to_Google_Turns_Out_It_s_a_Regression [osnews.com]
Re: (Score:2)
Why does it bother you that it's there, although you can turn it off? That's a bit like complaining that it has a back button, even if you never use back buttons -- do you actually need it to not be compiled in?
I mean, if you do, that's one of the perks of a source distro like Gentoo, but it seems like a waste to me.
Re: (Score:2)
If Microsoft released a hypothetical browser based on Chromium, let's call it Crummium, it would be exactly the same thing, but without the Googly-woogly "trust us, we're not evil" claim attached.
Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight. And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?
Now, consider the unfortunate alternative -- if Chromium was the only version, there'd be a scary process -- no matter how streamlined, it'd still have to present the user with scary legal warnings -- to get h.264 working, which, unfortunately, is needed for good HTML5 video
Re: (Score:2)
Given that Microsoft has a long track record of evil, and Google has a stated goal to not be evil, trusting them carries a bit more weight.
Actions speak louder than words. Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering. Trusting Google because of their motto is ridiculous.
And again, most of the browser is open -- how difficult is it to analyze what the rest is doing?
What are you proposing? To do a binary diff between the compiled open source version and Google version? Followed by disassembling and analyzing the diff, probably without debugging symbols? That would be a major pain in the ass, even if the two binaries w
Re: (Score:3, Interesting)
Microsoft's evil tends to revolve around vendor lock-in and unfairly stomping on their competitors. Google's evil revolves around Big Brother type information gathering.
Microsoft's evil also involves outright lies, and the concept of "FUD" was pretty much invented, I suspect, to describe Microsoft.
Google, by contrast... "Big Brother"? Have you read 1984? Google likes to gather information, yes -- and like Facebook and everyone else, they only gather information from people who willingly donate said information, or from information already in public spaces.
Unlike Facebook and everyone else, they have a track record of, in the very worst example I'm aware of (wireless snoopi
Re: (Score:2)
Google, by contrast... "Big Brother"? Have you read 1984?
Yes I have. Obviously the current situation isn't like the brutal dictatorship in the book, but the information gathering is getting there. Not a camera in your home, but spying on all the sites you visit.
they only gather information from people who willingly donate said information, or from information already in public spaces.
"willingly" would be opt-in, instead of having to opt-out. How many web sites use Google Analytics? Google also owns DoubleClick.
by accident
There's nothing accidental about collecting all this information (ignoring the wireless case), which once collected, can be abused. If they get a National Security Letter they wi
Re: (Score:2)
"willingly" would be opt-in, instead of having to opt-out.
Which is precisely how this functions.
How many web sites use Google Analytics?
How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them? If you don't trust a website to not use Google, why would you trust that website with the same information?
If they get a National Security Letter they will have to comply with it.
They have publicly fought government requests for information.
If a rogue employee decides to misuse the data, it's done.
And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.
It's completely Google's fault for requiring H.264. They could always fall back to another format.
At what cost? Either massive amounts of CPU to trans
Re: (Score:2)
How many of those websites jumped out of the Internet, grabbed your browser, and forced you to visit them?
And who actually consented to a massive, collusive information gathering program? People are just browsing normally for other reasons, not to be spied on. They have to go out of their way to avoid this spying. That's why it's opt-out, and not opt-in.
They have publicly fought government requests for information.
Very well, but they could always lose in such a suit.
And how do you know what procedures they have in place to prevent this situation? This isn't Facebook, where that sort of thing actually happens.
Whatever procedures they have in place, the possibility is there. And how do you know it doesn't actually happen at Google? How many years was Facebook around before you heard about data breaches? And what abo
Re: (Score:2)
And who actually consented to a massive, collusive information gathering program?
You did, with every website you visited -- though I have to wonder where you get "collusive" from.
People are just browsing normally for other reasons, not to be spied on.
And people are just typing into Facebook for other reasons, not to be spied on. It's still entirely your choice to play or not to play.
They have to go out of their way to avoid this spying.
Connecting to any given website is already your action -- you're already going "out of your way".
Very well, but they could always lose in such a suit.
Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.
Whatever procedures they have in place, the possibility is there.
In the same way that,
Re: (Score:2)
You did, with every website you visited -- though I have to wonder where you get "collusive" from.
A huge number of 3rd party sites agree to give Google data on your browsing habits. People are just trying to live their lives normally -- the web is just part of the basic infrastructure. Web sites don't prominently display their data collection activities. Most people are not technical and don't understand stuff like Google Analytics. This is a massive, data sharing program without informed consent, and Google is the ring-leader.
Yes, they could, but I think it kills your "They are evil" argument. It certainly kills any comparison with Big Brother, when they actively fight the government.
They're evil for collecting all this information where it can be misused. The
Re: (Score:2)
Web sites don't prominently display their data collection activities.
Many have "privacy policies" -- how prominent would be prominent enough?
Most people are not technical
Yes, and whose fault is that? The information they would need is readily available. Alternatives exist.
Maybe I'm being insensitive here, but I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer -- that they need to be protected from themselves. The entire antivirus market currently thrives on this assumption, when the single best w
Re: (Score:2)
Many have "privacy policies" -- how prominent would be prominent enough?
You have to visit the site before you can even read the privacy policy. And who wants to read a bunch of legalize just to browse the web?
Maybe I'm being insensitive here
Yes, you are. You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy. It's as if every business you visited in public decided to identify you and report your whereabouts to a central party. That's fucked up.
I'm really sick of the meme that otherwise intelligent people should immediately be assumed to be drooling morons as soon as they're confronted with a computer
I care about privacy, I'm technically literate, I avoid cookies, and browse with NoScript. However, even I
Re: (Score:2)
You think people should have to walk around wearing disguises instead of having a reasonable expectation of privacy.
And where did I say that?
It's as if every business you visited in public decided to identify you and report your whereabouts to a central party.
Do you use a credit card? They do.
Expecting the average citizen to keep up in a technological arms race...
Not particularly -- pick a few reputable sources [eff.org] and follow them.
Regarding Flash cookies, well, the simple/paranoid approach is to not install Flash, or any third-party proprietary plugin, without good reason.
Then fuck 'em. Visitors using those browsers can get the old Flash version.
That's not "fuck 'em", that's "oh shit, now we really do need to keep two versions around."
YouTube is big enough that they can dictate the terms here.
And yet, even you don't seem to be suggesting they can -- you're suggesting YouTube spend huge amounts on disk space, bandwidth, CDNs, etc, to keep both
Re: (Score:2)
Since I don't particularly care about obeying software patents covering codecs and file formats,
Because I live in New Zealand, I'm legally allowed to do this - but if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
Mass civil disobedience might indeed be the appropriate response to broken software patent law, but if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?
Or you could just avoid using the broken patented technology. Seems easier to me.
Re: (Score:2)
if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
It is -- so I call it civil disobedience.
Except it doesn't require lawbreaking. I have a copy of Windows 7, which includes an h.264 decoder. I have an nVidia video card, which includes a hardware h.264 decoder, and a Linux driver for it. Both of these are bought and paid for, including all licensing fees.
So, if Firefox just used what my OS already had available -- if it just hooked into GStreamer, DirectShow, CoreVideo, etc -- it would Just Work, and it would be entirely legal. They refuse to do this.
if you're going to do that, shouldn't you also be willing to undergo mass arrests and trials?
Not wi
Re: (Score:2)
if you live in the USA, isn't it a bit of a problem that your chosen media codec solution involves deliberate lawbreaking?
It is -- so I call it civil disobedience.
Notwithstanding your comment about how you already have a patent license through other means, "civil disobedience" isn't the same as "doing it and not getting caught". In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law. DeCSS in your .signature is civil disobedience, downloading a gray-market codec from a non-US APT repository is mere
Re: (Score:2)
"civil disobedience" isn't the same as "doing it and not getting caught".
Oh, I agree...
In the original sense, "civil disobedience" means breaking the law in public, daring the police to arrest you / civil lawsuits to fly, and using the obvious injustice of the response to inflame the public against the bad law.
I suspect the public is too lazy for that to really work, but I'm also too lazy to make a huge public show of it. However, I make no secret about the fact that, for instance, I crack DVD copy protection, because my only other options are to boot Windows just to watch a DVD, or revert to an absurdly old version of Ubuntu that I got from Dell which (I think) came with legal copies of the relevant codecs and an approved player.
In other words, I'm not marching the capital steps with a movie playin
Re: (Score:1)
Re: (Score:2)
Chrome doesn't support the hooks that NoScript needs to work,
Which hooks would those be? In particular, if Adblock Plus can work, why can't NoScript?
NoScript is required(imho) for any power user(which everyone on Slashdot should be, or used to be).
No thanks, I'd much rather have a blacklist than a whitelist, for several reasons. One is that I like to be aware of the kind of crap each website is offering to the layman -- for example, I try to avoid websites that use Kontera and the like, rather than trying to make them tolerable.
Another is that when scripting is enabled, a site can progressively enhance itself to actually improve the experience. As I understand it,
Re: (Score:2)
Hmm sorry, don't need noscript. I have a good hosts file. Pretty sure that trumps your power user argument and let's me use any browser I want.
Erm, what? (Score:5, Informative)
Chromium is the open source version that Chrome, the proprietary browser, is built on. (Basically, they take Chromium, add codecs they can't legally include in Chromium, maybe a little branding, and release it as Chrome.)
The same is true of the OS -- the only reason it's "Chromium OS" is that the actual "Chrome OS" hasn't been released yet, because the community version isn't done yet.
Re: (Score:2)
I see. Thank you very much. I was unaware of this distinction and have learned something new today! Please mod parent informative.
Should be in the OS not the browser (Score:2)
It makes very little sense to sandbox the application. sandboxing should be delegated from the application to the OS. I note that mac OSX have this built into the OS, but only a few applications like xgrid actually use it. The good news is that apps don't need to be sandbox aware to be sandboxed after the fact. I saw on mac osxhints were someone wrote a sandbox config file for firefox that forces firefox to run with reduced privledges and disk access.
Re: (Score:2)
sandboxing should be delegated from the application to the OS.
Ideally, yes, but modern OSes (excluding Chromium OS, maybe) don't always provide sufficient sandboxing, and they do it in different ways. This would be both additional security where it's needed (as well as ways for communicating in and out of the sandbox), and, hopefully, support for whatever native sandboxing options are available (it kind of needs those anyway -- Chrome already uses a chroot jail, I think).
But what does any of that have to do with what I wrote?
Re: (Score:2)
we don't know if it doesn't include more stuff, like things that would be bad for privacy (but good for Google).
However, the fact that most of the code is open means we have a lot more insight into how it works, meaning if anyone wanted to reverse engineer it, it'd likely be a lot easier than, say, IE.
Also, if you look at the other things Google has released, very rarely do you find them using this pattern. It seems far more common that they either don't let you download anything, or they offer full source under a reasonable license. The "official story", boring as it is, makes sense.
Re: (Score:2)
Re: (Score:1, Informative)
At least two of the researchers are active in the FreeBSD project (Kris + Robert). Also Robert Watson's pet project has been TrustedBSD MAC extensions to FreeBSD since 5.something.
How timely (Score:2)
This may serve well to provide sandboxing for Android in place of Java [arstechnica.com]
Re: (Score:2)
And it would require massive rewriting of Android components and almost all apps, ruining the current install base Android has built up.
Nonsense. Current apps would continue to work just fine and anybody who wants to take the risk can just stick with Java.
Kinda of misleading. (Score:1, Interesting)
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
Until someone comes up with a specially crafted PDF... ;)
Re: (Score:2)
... what about the malicious applications which don't wanna to be sandboxed???
Build a launcher that sandboxes itself and then execs (or whatever) them.
More crap that won't work (Score:2)
for fuck's sake (Score:1, Informative)
"Web browsers have evolved into operating systems"
No, they haven't, calm down.
Re: (Score:3, Interesting)
"Web browsers have evolved into operating systems"
No, they haven't, calm down.
I think he means that they have become application environments, giving access to all the fundamental services of the underlying operating systems, through their own API and security models, with their own set of bugs.
Re: (Score:2)
In other words, they have become a toolkit.
A bit more like Windows used to be.... (Score:1)
Academic Foolishness (Score:4, Informative)
Re:Academic Foolishness (Score:5, Insightful)
I presume that you didn't actually read the API man pages. The interface follows squarely in the footsteps of the Unix design philosophy. No PID semantics are being changed, either. They've introduced process descriptors which, among other things, allow you to poll for process exit. They allow you to attach restrictions to descriptors, presumably so that a broker could open resources (files, sockets), restrict the allowable operations, and then pass them to sandboxed applications over a domain socket. It's all quite simple and powerful and exactly what I would love to see incorporated into POSIX.
Re:Academic Foolishness (Score:5, Insightful)
Re: (Score:2)
hese are major and invasive changes to POSIX. No reasonable person would expect to be able to do things like change PID semantics or shared memory.
I don't think that they are expecting people to wholeheartedly change the 30+ year old POSIX API and adopt their new developments. This is research, remember? These are students who are exploring new ways to improve security and address problems with the POSIX API. It's there, we can adopt what we want, and in the meantime, students learn examples of how to writ
Re: (Score:1, Interesting)
These are major and invasive changes to POSIX
No, they're not. They are additions to the current security model.
An OS that has this functionality looks and acts exactly like a POSIX OS. It's up to the application program to call the appropriate APIs as necessary to properly sandbox things (and some parts of each app will potentially be sandboxed differently than other parts).
One of the researchers involved is Robert Watson who has heavily been involved in FreeBSD for many, many years. Knowing that he's doing this reassures me that this is well thought
Browsers Interact Directly with Hardware? (Score:2, Insightful)
Web browsers have evolved into operating systems unto themselves
Really? I am unaware of a (common) browser that is able to do much more than work with data...
Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.
Re: (Score:2)
Ever since that pesky von Neumann fellow, all any computer has done is work with data.
Re: (Score:3, Interesting)
Web browsers have evolved into operating systems unto themselves
Really? I am unaware of a (common) browser that is able to do much more than work with data...
Let's try to leave the the analogies used to educated luddites out of summaries intended for people that *KNOW* the difference between an OS and an application.
There are certainly many companies out there that want your OS to be nothing more than a web browser. That way they can sell software as a service. For things like Google Gmail, Google Calendar , Google Docs, etc. Microsoft is slowly moving in that direction as well. Its much more profitable to sell based on usage or per month, rather than selling you a perpetual license. Many businesses are moving towards the desktop being little more than a terminal with the applications actually running on a central
Re: (Score:2)
So... (Score:2)
Re: (Score:2)
... When will we see implantations of this in Linux, *BSD, and, even, commercial Unix flavors ?
I believe you can patch FreeBSD 9 (current) to use this. Check the FreeBSD security mailing list for a link to the patches.
Because their middle name is security (Score:2, Insightful)
Y'know, I'm really glad Google wants to provide a new API for managing security. We need somebody to do this for us - somebody who really knows security, somebody who may as well have security as their middle name [nsa.gov], to come out with an API framework for Mandatory Access Controls [nsa.gov], preferably built right into th operating system kernel of a [fedoraproject.org] major [debian.org] distribution [gentoo.org].
Yes, I'm really glad Google took the initiative on this.
Dang. I just commented and can't mod you up now. (Score:1, Offtopic)
Which is just as well, since I was torn between Informative and Funny. B-)
Re: (Score:3, Informative)
5 Comparison of sandboxing technologies
...
/etc and access to the terminal device. These broad policies are easier to craft than fine-grained ones, reducing the impact of the dual-coding problem, but are much less effective, allowing leakage between sandboxes and broad access to resources outside of the sandbox.
We now compare Capsicum to existing sandbox mechanisms. Chromium provides an ideal context for this comparison, as it employs six sandboxing technologies (see Figure 12). Of these, the two are DAC-based, two MAC-based and two capability-based.
5.4 SELinux
Chromium’s MAC approach on Linux uses an SELinux Type Enforcement policy [12]. SELinux can be used for very fine-grained rights assignment, but in practice, broad rights are conferred because fine-grained Type Enforcement policies are difficult to write and maintain.The requirement that an administrator be involved indefining new policy and applying new types to the filesystem is a significant inflexibility: application policies cannot adapt dynamically, as system privilege is required to reformulate policy and relabel objects.
The Fedora reference policy for Chromium creates a single SELinux dynamic domain, chrome sandbox t, which is shared by all sandboxes, risking potential interference between sandboxes. This domain is assigned broad rights, such as the ability to read all files in
In contrast, Capsicum eliminates dual-coding by combining security policy with code in the application. This approach has benefits and drawbacks: while bugs can’t arise due to potential inconsistency between policy and code, there is no longer an easily accessible specification of policy to which static analysis can be applied. This reinforces our belief that systems such as Type Enforcement and Capsicum are potentially complementary, serving differing niches in system security.
Re:Because their middle name is security (Score:4, Informative)
Normally I don't even bother to read ACs, let alone respond to them, but in your case I'll make an exception since you are actually trying to make a cogent point.
Security IS complex - that is why it is better to get it right in ONE place than getting it WRONG many places. Had the researchers put the effort into defining a meaningful set of security contexts within SELinux - contexts that could be used for the WHOLE SYSTEM - they could have not only secured the browser, but everything else. Instead, they took a Barbie-Doll "Security is HARD" approach, and only secured ONE application.
The faults raised in the paper were not with SELinux itself, but rather with a specific implementation of a security policy, created by one vendor, which USES the SELinux framework.
Personally, I'd rather see a set of security contexts and attributes:
internet_tainted_file: this object (file) was created by a program which has accessed the Internet (more precisely, any network address not marked as trusted).
sensitive-file: an object (file) that may NEVER be accessed by an internet-tainted-program (see below)
non-internet-program - a program has no need to open ports outside the local network or access internet_tainted files.
internet-program: a program which MAY access the internet, but has not yet done so.
sensitive-tainted-program: a program which has accessed a sensitive-file, and thus may NEVER access the Internet. An internet-program may transition to the sensitive-tainted-program state by accessing a sensitive-file object.
internet-tainted-program: a program which has accessed the Internet, or accessed an internet_tainted_file.
That way, programs that have no need of frobbing the Internet (e.g. gedit) CANNOT access it. Programs that have touched sensitive files (e.g. /etc/shadow) likewise can NEVER touch the 'Net. Programs that have touched the 'Net can NEVER access sensitive files.
That's just the tip of the iceberg - but getting a proper set of security contexts can not only protect the browser, but EVERY program on the system.
And that is why I raised this point: all Google is securing is their own stuff (and only to the extent a malicious exploit cannot work around their solution, which is code in the application), rather than contributing to the greater security of the whole system.
Re: (Score:1, Informative)
At the USENIX talk, the authors explained that one of the flaws in SELinux, not just Chromium's use of it, was the need to enumerate all sandbox domains statically in a policy file. The approach used in Chromium, and that you describe, allows different web sites to attack each other when rendered in the same browser, since they're not protected from each other. Capsicum allows applications such as Chromium to create as many sandboxes as they need dynamically. They also repeatedly said during the talk that c
Security innovation (Score:1, Insightful)
... there's been quite a bit of innovation on Windows security ...
What? There has? Do you mean the way it now asks me 'Are you sure you want to give this application a chance to destroy your computer? Y/N' and if I say 'No' I can't use the application?
I mean, if I really want to run that application I have no choice but to click 'Yes' and then if it was a virus after all I'm screwed.
What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash
Re: (Score:3, Insightful)
What I'd want is a way to have more control over the program. Maybe put it in a sandbox and trick it into thinking it's got full privileges even though it's really sandboxed so it won't crash or maybe just set advanced settings for that specific application to disallow it from writing to specific registry/files/network/other process' memory.
Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.
Re: (Score:1, Interesting)
Which is... umm... pretty much exactly what Windows Vista, Windows 7, and Windows Server 2008 can do.
How? I've never got anything else except the choice to run an application or not run an application. Which is a choice I've usually already made before I run it.
Re: (Score:3, Informative)
1. Modify the image header. [microsoft.com] icacls notepad.exe
2. Do runas
Here's a screen capture of what happens to the latter when you try to access the user's desktop: http://i38.tinypic.com/wbs1vo.png [tinypic.com].
Can't we just get this over with? (Score:2)
Re: (Score:2)
Dammit, now I'm feeling bizarrely tempted to write a IE plugin that contains emacs. I have no idea why I'd want to do this; I don't even really like emacs. The idea is truly bizarrely compelling, though.