A proposal

I know that "anti-executable" is far from perfect, but seriously, this is 2014. Denying a binary access to a bunch of system calls is the sort of thing that an OS should be able to do, on its own, selectively, without any third-party rubbish.

 

Not exactly the same but some OSes do have this setting.

 

They do, but not the way you think. Your screenshot there is just a setting in Nautilus, it's purely in userspace, and it only applies to scripts, not binaries. It's not kernel level interception of system calls.

AppArmor and other path-based MAC systems can definitely do this - all you have to do is blanket deny a program exec permission on everything it has access to, and it won't be able to execute binaries. SMACK and SELinux should be able to do it too, though perhaps less easily... Using mandatory access control this way is a bit like using the CD player tray as a cupholder though.

What I'm getting at is, this stuff should be the province of the OS itself, not third-party software. AFAIK Windows NT is the only multiuser OS ever to rely so much on third-party drivers for security.

 

That's because Windows is still based on default-permit where anything can run anything else. They chose to make it simple for those who know nothing about computers, consequences be damned. Just wait until automotive electronics become more like PCs or smartphones. If they use the same default-permit policies, someone could design malware that could physically steal the car.

 

I'm glad we have 3rd party protection etc. I wouldn't trust MS to do it all !