Security Sandbox

NeuroKernel /OS takes security very seriously. Kernel is especially picky about resource authorization and access. Unauthorized access results in an immediate termination of the task in question. Registered applications including registered remote applications enjoy the freedom and full performance of the operating system environment. Unregistered remote applications on the other hand treated differently by kernel. They are potential suspects before they are even executed. Remote applications will not be able to access all resources as the registered ones. A remote application can be flagged as trusted before or during runtime by the user, but that will give little permissions to the Remote application.

1. Kernel Resources

Registered applications, remote or not, have full access to the kernel resources such as ports, shared data, protocol extensions, etc. Remote applications will have restrictions starting from protocol level.

2. Task Limitations

Untrusted remote tasks cannot have more than 10 windows at one time. An MDI interface may be utilized to use more windows. Unregistered remote tasks cannot extend system protocol.

3. Accessing Resources

Accessing resources such as File system (both cloud based and in memory), ports, shared data, clipboard, spawning tasks and plugins, allowed number of windows etc, are kernel controlled resources and can be granted only the tasks that meet certain criteria. Unregistered remote applications and torrent based applications have limited access to most of the resources.

4. Trusting a Task

Unregistered remote tasks are by default untrusted tasks. Their execution is closely monitored by the kernel, not allowed operations are allowed. It is possible to trust a remote application by passing -trusted=true argument when executing. This can only be done by a registered application or from terminal by typing in. There is also a remote task popup which can be opened from the window menu. From this popup, user can interactively tag the remote task as trusted. Only main application window has this menu option. In addition, Authorizing a domain address gives the ability to run any application from that domain as registered applications. Please see System Administration guide for more details.

5. Task Termination

Task container is acts as a mini kernel of a task that runs the Application. It decides what an application can do or can not do before directing its request to kernel. The request may be denied or found suspicious by the Kernel, and that would result to immediate termination of the task. Kernel is especially very ruthless against remote tasks.