[cap-talk] Polaris: Virus Safe Computing for Windows XP

David Wagner daw at cs.berkeley.edu
Mon Dec 6 18:47:19 EST 2004 

Alan Karp writes:
>Nevertheless, there's nothing else out there that deals with the next
>Love Letter.

Can you explain the basis behind that claim?  We have virus scanners.
We have intrusion detection systems, both signature-based and anomaly
detection.  We have sandboxing systems.  (In the commercial world, you'll
sometimes hear the term "behavior blocking".)  There is a huge amount
of prior work on those approaches, all intended to try to stop the next
Love Letter.  I could believe that Polaris offers improvements over those
prior approaches and that Polaris develops some of these ideas further
than anyone else has, but as far as I can see, it's not like Polaris is the
first system that tries to deal with this problem.  What am I missing?

>In fact, our original name for the mechanism was "ACL abuse".

Cute. :-)  I like it.

>No one mechanism can block all attacks.  Polaris, even as it stands,
>blocks a certain class of attacks.  The Polaris follow-on will block
>more, but no version of Polaris will block all possible attacks.  We do
>the best we can.  After all, firewalls don't make us perfectly safe, but
>no one advocates abandoning them.

Well, I'm only partially on board with this point of view.  There are
two different ways to think about this.  One way is to say that no scheme
prevents all attacks.  I don't like this way very much.  Rather, I like
to say that no scheme enforces all security properties you might like.
But there are some schemes that pick a single security property and try
to stop all attacks that might violate that property.  Those are the
kind of schemes I think we should strive for: schemes that are able to
provide some clearly stated guarantee.  The security warranty might not
cover everything we want to enforce -- it might not promise everything
we'd like -- but at least we should have great confidence that it will
deliver on its promises.  (But schemes that say "I guarantee X, so long
as the attacker doesn't mount a shatter attack" are much less satisfying.)

Sometimes we can't get what we want.  Sometimes no one knows how to build
a satisfying defense that will defend against all attacks, and we're
stuck with an arms race, "security through obscurity", or unprincipled
but temporarily effective security measures.  But I claim we should keep
in mind the real goal, even if we're not always able to attain it.

More information about the cap-talk mailing list