Re: which do you think can provide better protection against Trojan horses?



Hi,

which do you think can provide better protection against Trojan horses: Access Control Lists or Capabilities?

Capabilities.

ACLs work nicely for protecting users from each other. I can put an ACL
on my department's shared drive and stop outsiders from accessing it. I
can put another ACL on the managers' folder and keep non-managers out.

But when dealing with trojan horses, we have a different security
problem than protecting users from each other. We need to protect a user
from a malicious program running under their identity.

This is where ACLs break down, as the malicious program gets all the
same rights as the user.

However, in a capabilities model, each program would only get the
absolute minimum capabilities it needs to do its job and not all the
rights of a user. A trojan horse is better contained.

Paul

--
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------