[cap-talk] What are caps good for? - minor confinement issue

Jed Donnelley jed at nersc.gov
Fri May 7 19:59:31 EDT 2004


At 07:07 AM 5/7/2004, Valerio Bellizzomi wrote:
>On 06/05/2004, at 18.07, Jed Donnelley wrote:
>...
> >Hmmm.  I'm not sure I agee with the above.  Word's macros are
> >notorious.  I am afraid to open any Word document that I receive
> >with Word.  I generally use Wordpad.  I have a colleague that will
> >only open Word documents in a VMWare virtual machine that
> >does no have persistent state.
>
>Doesn't that assume that the VMware virtual machine is *confined* from the
>rest of the system?

At the risk of beating a dead horse - generally what I find the effective
trust to be for POLA is to grant my agent the access to the limited
resources that I believe are needed for its work AND the right to further
share those resources for the purposes of subdividing the work it
needs to do (e.g. for further POLA restrictions of other agents).
I don't believe it is wise for me to try to decide what sort of help
my agent might need to perform its task.  It is for me to decide what
minimal set of rights my agent requires to do what I ask (POLA).

>When your collegue turns off the virtual machine all the state is
>destroyed. Isn't that equivalent to rescinding domain+spacebank in EROS ?
>Though there would be some difference if you set up an internal network
>between the virtual machine and host system. In that case there would be an
>open channel which is not confined.

You are focusing on the confinement aspects of the issue which I
believe are insignificant.  The relevant issue I believe is restricting
the access of the agent to the resources it needs, regardless of any
communication it may feel it needs to accomplish its task (whether
it's well behaved or malicious).

> >>For a variety of legal reasons,
> >>Microsoft (and other software vendors) isn't going to plant Trojan
> >>horses in software on purpose. If one is found, they will correct it
> >>reasonably quickly, which tends to limit exposure.
> >
> >Perhaps not intentionally, but they are mostly driven to add features
> >like the Macro features above.  When these feature needs conflict
> >with security, generally the feature needs win.
> >
> >All this I see as part of an argument that suggests that every
> >program must be treated with the Principle Of Least Access.
> >If you find you must trust a problem with a lot of access (e.g.
> >a user shell or GUI or parts of the underlying system) then it
> >behooves you to put a lot of attention into analyzing that code.
> >Such attention has a high cost and I believe will never be possible
> >with something like Microsoft Word.
>
>again, POLA = Principle Of Least Authority

I'm fine with that terminology, however I don't believe the distinction
is significant.  Would you like to initiate a side discussion on that
topic?

--Jed http://www.nersc.gov/~jed/ 



More information about the cap-talk mailing list