I checked the Hacker News everyday and found this interesting post. The idea behind this post is about when you browse the web, you don’t just download the content. You also download the web browser. That sounds scary to me at first, but what this post essentially is trying to convey is that
“the code you’re executing is not important, rather, it is the system API exposed to the code that determines the safety of the system.”
Well, the first thing that popped out from my head is the principle of least privilege when I first read this. Usually in a unix-like system, we have many users and the system admin doesn’t trust them. So the system admin just minimizes the privileges of other users as long as the users can do their work successfully, but why are some bad people still able to hack a unix-like system? Is the principle of least privilege not good enough?
I think the principle is good, but traditionally what people actually missed is the definition of privilege from the perspective of the system. Think about it. It is the programs that essentially talk to the system, not the users. Of course!! That’s why every program in the system is executed on behalf of a user and every user has a unique id that specified what privileges that user has. However, what is the definition of privilege in terms of the system? I think it is the system API.
Therefore, I think the system should minimize the number of APIs each program has access to. Moreover, it should not just be limited to the web domain. It can be used in the OS world also. I’m not an OS person, so I don’t know how much effort it will take. But I can imagine that’s quite a lot. The system needs to be aware of all its APIs and it needs to track all API usages. I think it is not easy to do, because API is quite low-level.
Just some random thoughts. I don’t how how many people have read the Unix-Hater’s Handbook. It is old, but the essence of the book is about the battle between two philosophies. One is “do the right thing” and another one is “bad is better” (I don’t quite remember the name of the latter one, but it is similar to that). So, I doubt the API privileges thing would be implemented in the short future (if there exists none).