When we run a program on our computer we trust it to do what we want it to do. This faithfulness is exploited by virus makers who modify runnable code of other programs to get some additional behavior, e.g copying the virus part of itself. In most operating systems it is at the program's discretion to decide what parts of its operation it shows the user. A virus or Trojan horse exploits this trust in the programs to covertly access files and influence other programs. This problem is well known and is usually handled with various kinds of pattern matching to find the virus part of the program. When the virus had been erased the problem was solved for this time.
In the days of stand alone personal computers, detection and removal of the erring program was sufficient since the damage done by the viruses was limited to vandalic acts such as destruction of files and annoying screen messages. Now, as more computers are connected to the Internet, the scenario has changed.
Today a malicious program can not only wreak havoc amongst your files and pester your life with
``gimme a cookie'' messages. The ability to communicate back to its originator in effect gives
the originator control over your computer. The program can covertly search your computer for
information it deems interesting
and report its findings back ``home''. The advent of Internet commerce makes
the problem more acute since there are now things available on the computers worth stealing, e.g
credit card numbers, e-cash or valuable information.
During a day we use programs from numerous vendors. This will certainly increase as the methods for program distribution improve. The Internet is a revolution in the possibilities for small software vendors to market themselves and distribute their programs. To enable competition and nicheing it must be possible for new and previously unknown software manufacturers to be able to enter this market. Java-applets and Netscape-plugins are examples of programs that are very easy to install. Perhaps the user's only intent is to try the program or to use it a few times. Today, most people are hesitant use to programs whose creator they are not familiar with. If only a small number of reputable vendors or centralized certification organizations are trusted to supply programs to all users, the rate of which new programs, services and updates can come into use will decrease and smaller niches might not be filled. In practice, this trust is blind since we usually do not have any means to verify that even the reputable vendor's programs behave as claimed. If possible, it would be preferable to avoid having to trust any external organization blindly. Also, Internet service providers, e.g for Network Computers, would be able to provide their customers with a larger base of programs without having to verify the programs themselves and yet without not being able to give their customers some assurance about the software made available.
If nothing can be absolutely guaranteed for a program, how can we sensibly grant it any access privileges, enabling it to do useful work for us? The answer seems to be to remove the need for blind trust in a program when executing it. As long as the program's actions can be restricted and supervised, the untrusted program can be run with the confidence that any actual or potential misbehavior will be detected.
This report is organized in the following way.
Section 2 places the Security Assistant approach in the context of other security methods, and describes how the Security Assistant is thought to interact with and affect the user. In Section 2.4, issues in the design of a Security Assistant are discussed and an architecture is suggested. Section 3 covers some requirements on the execution environment for the assistant and the untrusted programs and Section 4 concerns how the assistant could be structured internally. Section 5 and Section 6 discuss related work in handling untrusted programs from the perspective of Safe Languages and Intrusion Detection. Appendix A discusses lessons learnt from three small prototype implementations of a security assistant which collects and presents information about the monitored programs.