问HN:为什么基于能力的安全性没有更普遍?
最近的“自传播NPM恶意软件”提醒我们,当前的安全模型基本上是一种打地鼠游戏:你必须信任你运行的每一段软件(包括所有的库、插件等),除非你明确将其放入沙箱中。
基于能力的安全性可能提供了一种替代方案:软件在没有明确授权的情况下,不应访问任何资源。也就是说,“经典”的桌面安全是一种黑名单模型(除非明确限制,例如通过沙箱,否则一切都是可能的),而基于能力的安全性则类似于白名单。
在编程语言层面,这通常被称为对象能力模型,有许多编程语言实现了这一模型: [对象能力模型 - 维基百科](https://en.m.wikipedia.org/wiki/Object-capability_model)
问题是:为什么它没有更受欢迎?似乎甚至不为人所知,更不用说被广泛使用了。(除了个别例子。)
它有可能被广泛采用吗?
我想一个反对意见是人们不想手动配置安全性。但如果我们认真考虑,也许可以将其集成到正常的用户体验中:例如,如果你使用系统提供的文件选择器选择一个文件,它会自动授予对该文件的访问权限,因为访问是明确授权的。
查看原文
Recent ["self-propagating NPM malware"](https://news.ycombinator.com/item?id=45260741) reminds us that the predominant security model is basically whack-a-mole: you gotta trust _every_ piece of software you run (including all the libraries, plugins, etc), unless you explicitly sandbox it.<p>Capability-based security might offer an alternative: software should not have access to things when it's not explicitly provided with access. I.e. "classic" desktop security is kind of a blacklist model (everything is possible unless explicitly restricted e.g. via sandbox) while capbility-based security is like a whitelist.<p>On a programming language level it's usually known as object-capability model, and there's a number of programming languages which implement it: https://en.m.wikipedia.org/wiki/Object-capability_model<p>The question: why isn't it more popular? It doesn't even seem to be widely known, let alone used. (Aside from isolated examples.)<p>Is there any chance it would be widely adopted?<p>I guess one objection is that people don't want to manually configure security. But perhaps it can be integrated into normal UX if we really think about it: e.g. if you select a file using a system-provided file picker it would automatically grant access to that file, as access is explicitly authorized.