[cap-talk] Polaris: Virus Safe Computing for Windows XP

Karp, Alan H alan.karp at hp.com
Fri Dec 10 12:52:32 EST 2004


Jed Donnelley wrote:
> 
> "E.g. I'm running two instances
> of Notepad?  Nominal Windows behavior is last
> write wins (just tested).  It would seem that under
> Polaris that behavior would change to last exit wins."
> 
The synchronizer updates the file as soon as it detects a change to the
copy.  Since the detection is not instantaneous, there's a chance of
updates occuring in the wrong order, but I don't think it's a problem in
practice.  Indeed, most applications won't open a file for write if it's
already open for write.  Polaris is supposed to mimic this behavior, but
I just tested it, and it doesn't work.  I'll have to file a bug report.
> 
> "By properly distinguishing authority from permission, 
> Polaris doesn't 
> leave any
> dangling permissions to be cleaned up later."
> 
> from the Polaris paper.  Perhaps it was just that wording that
> was bothering me, sounding like an overly broad claim.  Of course
> Polaris is granting what amounts to revokable (indirect)
> rights.  From the viewpoint of the Windows application
> running "RunAs", it has permission to access "the" file.
> 
Correct, but from the viewpoint of the ACL no such permission exists.
There's a real difference in this case.  If we modified the ACL to give
the pet read permission to the file, that permission would survive a
reboot until Polaris did some cleanup.  Using the synchronizer means
that the ability of the pet to modify the file does not survive a
reboot.  Whatever you call these two cases, that's a useful feature.  
> 
> In fact, now that I've focused on this point so much
> (sorry to others if I seem to be beating a dead horse),
> it occurs to me to wonder why this indirection is
> needed at all.  Doesn't the importance of that
> indirection for Polaris result exactly from the fact
> that it uses RunAs (CreateProcessWithLogon)
> as its restricted execution environment?
> 
Not specifically.  If I logged into a pet account and launced Excel
directly, there's be no RunAs involved.  As long as the PowerBox running
as a system service recognized this process as running in a pet, opening
a file would work the same as described in the paper.  (Well, at least
it should, but we don't have the PowerBox running as a service today.)
The critical point is that the process running the application only has
access to files outside its installation endowment via the PowerBox.
> 
> On the other hand with the sort of mechanism I
> described in:
> 
> http://www.eros-os.org/pipermail/cap-talk/2004-December/002603.html
> 
A much better solution, but one that is far beyond our abilities on
Windows.  We originally planned to do something along these lines on
Linux.  Given the resources, we might still.
 
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041210/e89b691f/KarpAlanH.vcf


More information about the cap-talk mailing list