[cap-talk] Polaris: Virus Safe Computing for Windows XP

David Mercer dmercer at email.Arizona.EDU
Thu Dec 9 15:15:57 EST 2004 

On Wed, 8 Dec 2004, Jed at Webstart wrote:
> At 06:52 PM 12/8/2004, David Mercer wrote:
> >On Wed, 8 Dec 2004, Jed at Webstart wrote:
> > > At 11:29 AM 12/8/2004, David Mercer wrote:
>
> >Windows ITSELF needs to be run in a restricted execution environment, the
> >design of is such that the OS instance itself is the practical atomic unit
> >of security.  Seems to me that that means you'd have to replace much more
> >than just the shell and suchnot as Alan is talking about for the next
> >version of Polaris.
>
> If something trusted interprets all traps, then you are as safe as that
> something trusted.

Yes, my point was that if that something trusted (Polaris or similar) run
on Windows itself, it'd have to be quite an altered Windows!

> >I don't see how you can have Windows itself running on the bare metal in
> >any way, at least not any currently extant version.  Some virtual machine
> >technologies use read-only pages for the kernel itself, and have pre-cached
> >'dormant' vm's waiting in the wings, much as modern web servers have
> >pre-started processes waiting for requests.  IBM have such on their big iron.
>
> While it may be difficult to have Windows running on the base hardware,
> if it provides an adequate restricted execution environment (and I argue
> that doing so itself is quite simple) then secure protected environments
> can be build on top of that.  I believe that any OS worth it's salt should
> make such a simple and complete restricted execution environment
> available.
>
> >With that type of vm system in use, one could perhaps make the user
> >interaction time and storage/ram costs of using a fresh, virgin vm for
> >each process or application stated by a user.  But I don't really think
> >that the outer layer of such a system that started all the Windows virtual
> >machines would do well to be hosted on Windows itself.
>
> (e.g. with only access to capabilities explicitly granted to it)
> then the problem is solved with regard to safety.  Of course that
> still leaves the minor problem of emulating Windows on top of
> a safe capability computing (and POLA enforcing) environment :-)

That 'minor problem' is what I've been referring to!

> >Unless perhaps it was a very, very stripped version of Windows, booting
> >from some kind of read only media, and using something like CapDesk as the
> >only app running on the actual hardware.
>
> We don't seem to agree on this point.  Perhaps you can respond to what
> I've written above and we can continue the discussion.

Actually I think we do.  I'm just doubting that that base level
environment can, in practice, be Windows itself.


----------------------
David Mercer
dmercer at U.Arizona.EDU
http://www.u.arizona.edu/~dmercer

More information about the cap-talk mailing list