[cap-talk] Polaris: Virus Safe Computing for Windows XP
dmercer at email.Arizona.EDU
Thu Dec 9 15:15:57 EST 2004
On Wed, 8 Dec 2004, Jed at Webstart wrote:
> At 06:52 PM 12/8/2004, David Mercer wrote:
> >On Wed, 8 Dec 2004, Jed at Webstart wrote:
> > > At 11:29 AM 12/8/2004, David Mercer wrote:
> >Windows ITSELF needs to be run in a restricted execution environment, the
> >design of is such that the OS instance itself is the practical atomic unit
> >of security. Seems to me that that means you'd have to replace much more
> >than just the shell and suchnot as Alan is talking about for the next
> >version of Polaris.
> If something trusted interprets all traps, then you are as safe as that
> something trusted.
Yes, my point was that if that something trusted (Polaris or similar) run
on Windows itself, it'd have to be quite an altered Windows!
> >I don't see how you can have Windows itself running on the bare metal in
> >any way, at least not any currently extant version. Some virtual machine
> >technologies use read-only pages for the kernel itself, and have pre-cached
> >'dormant' vm's waiting in the wings, much as modern web servers have
> >pre-started processes waiting for requests. IBM have such on their big iron.
> While it may be difficult to have Windows running on the base hardware,
> if it provides an adequate restricted execution environment (and I argue
> that doing so itself is quite simple) then secure protected environments
> can be build on top of that. I believe that any OS worth it's salt should
> make such a simple and complete restricted execution environment
> >With that type of vm system in use, one could perhaps make the user
> >interaction time and storage/ram costs of using a fresh, virgin vm for
> >each process or application stated by a user. But I don't really think
> >that the outer layer of such a system that started all the Windows virtual
> >machines would do well to be hosted on Windows itself.
> (e.g. with only access to capabilities explicitly granted to it)
> then the problem is solved with regard to safety. Of course that
> still leaves the minor problem of emulating Windows on top of
> a safe capability computing (and POLA enforcing) environment :-)
That 'minor problem' is what I've been referring to!
> >Unless perhaps it was a very, very stripped version of Windows, booting
> >from some kind of read only media, and using something like CapDesk as the
> >only app running on the actual hardware.
> We don't seem to agree on this point. Perhaps you can respond to what
> I've written above and we can continue the discussion.
Actually I think we do. I'm just doubting that that base level
environment can, in practice, be Windows itself.
dmercer at U.Arizona.EDU
More information about the cap-talk