[cap-talk] Polaris: Virus Safe Computing for Windows XP
Jed at Webstart
donnelley1 at webstart.com
Fri Dec 3 21:18:00 EST 2004
At 02:29 PM 12/3/2004, Karp, Alan H wrote:
>OK, you can stop laughing now. It really works. You can read about it
>Jed Donnelley in particular might be interested in Polaris as a
>demonstration of the value of POLA that has nothing to do with
I read the above paper with pleasure. As I often do I'd like to
write here some notes I made while reading the paper. As
usual, while I'm very positive about the paper and it's thrust,
I will of course focus on areas where it seems to me perhaps
improvements can be made:
1. Pg. 4 at the top: "It often makes sense to have more than one pet for a
given application. For example, a
user might have one browser pet for the Intranet, another one for the
Internet, and a third
one for reading files from disk."
Isn't there a loss of the ability to combine designation with authorization
implied by the above?
Namely, when a URL is selected in a browser it's an act of designation, but
the browser is authorized to access the whole Internet. Wouldn't it be
better (POLA) if that
act of designation would be accompanied by authorization to do the needed
2. Pg. 4 - Figure 4. Sorry, but I don't see the visual clue about
polarization that is the
main point of Figure 4. I see some color and window management
differences, but what
is it that tells me the window is polarized? Is it something about the
title bar? I
don't see it. Perhaps it should be pointed out in the text?
3. Page 5 at the bottom, the permission/authority discussion including the
I believe I understand the distinction being made. However, despite that
there at the bottom of page 5 doesn't make sense to me. Specifically:
"As implemented, the restricted user account has the authority to effect
changes to the original file, but it never gets permission."
Huh? If authority is in some sense the transitive closure of available
permissions (i.e. not just the permissions, but all the rights that can
be obtained with those base permissions - my reading of the sidebar
and from previous discussions on this list), then if the account has the
authority and the process is running under the account, can't the
process get the needed permission by exercising its existing
permissions to achieve the authority to change the original file?
Isn't that essentially by definition of what it means to have the
authority to change the original file?
* Finally I'd like to say something about Alan's comment that Polaris
demonstrates that "POLA has nothing to do with capabilities". Unfortunately
I have to leave right now, so I have to make this short. Perhaps this is
again a matter of definition of "capability". In the general form that I
use in the Managing Domains paper:
"For our discussion it will be convenient to have a single term to denote
resource access. We will use the term capability [DeV66-3, Eng72-10,
Fab74-11, Lan75-17, LaS76-18, Wul74-28]. We say that a process has a
capability to a resource if it has been authorized access to the resource.
A capability is thus a key that can unlock access to a resource. We define
the domain of a process to be the set of capabilities that it possesses."
Perhaps to map to the terms of the Polaris paper I should say that a process
has a capability to a resource if it has *permission* to access the resource.
In that sense I would say that enforcement of POLA in Polaris has
everything to do with capabilities. It is exactly the management
of "capabilities" to enforce POLA that seems to be the focus of
Polaris. Perhaps not classic partitioned system, descriptor
based capabilities, but I would say 'capabilities' non-the-less.
PS. For anybody who might have been waiting for me to pick up the
threads of the membrane attack thread and capabilities as data
OS straw man thread and respond, I've found I need to do some
rather deeper thinking about those topics - in addition to the
common holiday timesharing that happens this time of year.
I'm not sure quite how to pick up those topics, but I still
More information about the cap-talk