[cap-talk] Polaris: Virus Safe Computing for Windows XP

David Wagner daw at cs.berkeley.edu
Mon Dec 6 16:33:52 EST 2004

Alan Karp writes:
>As easy as these escalation of privilege attacks may be, we haven't
>encountered them.

While I hear your point, I hope you realize just how weak this rejoinder
will sound to anyone in the security community.  This response misses
the point.  Of course you haven't seen such attacks, because virus writers
haven't needed to use them so far!  But if Polaris is widely deployed,
virus writers will suddenly have an incentive to start using shatter
attacks.  This means that any marketing success for Polaris may well
be self-defeating: it seems Polaris can only be successful at securing
users' desktops so long as it remains unsuccessful in the marketplace.
Not terribly satisfying.

In the security community we see excuses like this all the time ("yes,
my software had 100 buffer overruns, but I haven't received any reports
of exploits yet, so you don't have to worry"), and I don't think they
fool anyone.  The problem is that attackers can change their attack
strategy faster than software developers can respond and deploy fixes.
Consequently, relying on the ignorance or stupidity of attackers is
unwise; it basically amounts to "security through obscurity" (in the
most literal sense of the term -- i.e., that your system can at best
remain secure only so long as it is obscure and not widely used).

I have to say that this kind of reliance on "security through obscurity"
is a giant step back from what I understood to be the goals of the
capability community.  While I do think it is valuable to investigate
what is the best we can do given existing legacy systems, at the same
time I hope you and others won't completely give up your efforts to
build truly secure systems and do it right, even if it means you have
to give up on compatibility with legacy systems, legacy languages, or
legacy paradigms.  Frankly, I think one of the greatest strengths of the
capabilities community lies in its commitment to this goal, and I think
the community has made some very promising progress towards this end;
I'd hate to see that innovation come to a stop.  Consider this a note
of warm encouragement.

More information about the cap-talk mailing list