Comment by zzo38computer

I think that, if it is done well (which will require a new operating system design (and a new instruction set may also be helpful); I have many ideas), it will have more benefits than only security.

It is much like the object-capability model described on Wikipedia, and it is neither a blacklist model nor a whitelist model. A whitelist model would have a list (or other criteria) of what is permitted, but for a better capability-based system, it works differently.

My idea involves capabilities (which can include proxy capabilities as well; i.e. it is not necessarily what you asked for, but you can send/receive messages anyways) which can be sent and used like the object-capability model, including as the initial message (instead of using command-line arguments, file descriptors, etc, it uses the "initial message"; this is like the "initial conditions" described on Wikipedia), which should include some capabilities otherwise it cannot do any I/O and will be automatically terminated (before the program gets a chance to run) if no debugger is attached. (Unlike the standard object-capability model, there is no "endowment" (at least at the level of the operating system, although programming languages might have this feature); the capability does nothing by itself, but the process that created it can receive messages that itself and/or other processes send to it and use them for whatever that capability is intended to mean.)

Some benefits of a proxy capability system includes that many other things become unnecessary, since they can be done with proxies, such as: finer permissions than the capabilities normally allow, adding print preview to a program that does not have that feature (but that is able to print), simulating error conditions, testing if the date/time handling of a program would work correctly on February 29 (or some other date, or a leap second, etc) without needing to change the clock on your computer, accessing resources on another computer as though they are local (and vice-versa), etc.

You might be able to pass capabilities using the command shell like how on UNIX you can use pipes, but in this one you would pass capabilities instead (as well as the ability to create your own).

> I guess one objection is that people don't want to manually configure security.

In many ways, reasonable defaults can be configured, and some things can be configured automatically, although it would still be possible to manually set them to whatever you want them to be.

> if you select a file using a system-provided file picker it would automatically grant access to that file, as access is explicitly authorized

Nevertheless, there are problems with such things, especially if you try to add them to existing systems. For example, a program might require access to additional files depending on the one accessed (either referenced by those files or by a modification of the original file's name (e.g. the journal file in SQLite)), configuration files and command-line arguments, etc. You would also need to consider such things as popen (many of my programs use it, with a command specified by the user at run time or specified in a configuration file).

In a new operating system design you could also change the file system model as well, in order to help with this (I had ideas about how to do this, too).