[cap-talk] RE: user interface issues - OS security discussion, restricted access processes, etc.

marcs marcs at skyhunter.com
Thu Apr 29 22:25:20 EDT 2004


> >Hey, you want to work with legacy, you get to work with passwords :-)
> 
> This is certainly a minor point, but I wonder just what soft 
> of password one runs into when following up such a 
> "getParent" trail.  Certainly not a user password?  I'm 
> unaware of any such password.

In a capability-oriented gui api, there is no password, because there is no
getParent method. In a non-capability api, there is no password, because
there is no security :-) 

> 
> >One of
> >the more entertaining things we encountered building the 
> DarpaBrowser 
> >(a capability confining web browser that would work okay even in the 
> >presence of a malicious renderer)
> 
> That sounds like a useful effort.  Web browsers certainly 
> seem likely to continue to play a significant role in our 
> future.  However, is the renderer the most significant 
> concern in Web browsers?

The renderer should not be the most significant concern. Ironically, in
today's world, the IE renderer, which is embedded in Outlook, is one of the
premier cracker tools. But that is not really why we worked with the
renderer. The DarpaBrowser worked with a malicious renderer simply to
demonstrate that you can do some pretty remarkable forms of confinement
using capabilities. Having said that, the typical netscape plugin and
ActiveX control is a rendering engine for a data type that the browser does
not support natively. So most such plugins would work well in the regime
constructed in the DarpaBrowser.

I see that markm has answered these questions, at least as well as I would
have, so I now defer to his answers :-)

--marcs



More information about the cap-talk mailing list