[cap-talk] Re: "capabilities" as data vs. as
descriptors -OS security discussion, restricted access processes, etc.
jed at nersc.gov
Fri May 7 22:19:52 EDT 2004
At 08:15 AM 5/7/2004, Valerio Bellizzomi wrote:
>On 06/05/2004, at 12.23, Jed Donnelley wrote:
> >>First, the notion of a single TCB is flawed. MarkM and I have long since
> >>stopped using this term in this way. There does exist in any given
> >>system a "universal TCB" (the set of stuff on which all programs
> >>depend), but this TCB is rarely the one we care about.
> >Agreed. I was interpreting the term relatively. That is, from the point
> >of me as a process my code is my "TCB".
> >>TCB is something that should be defined from an application perspective.
> >>It consists of the set of stuff on which that application depends.
> >Sounds like the above?
>Other dependencies must be taken also into account, like the libraries that
>come with the system, or from third party, especially if the software is
>not statically linked, it may depend on some library that could be replaced
>by an attacker. Modular software can load libraries on the fly...
If that happens the application is Trojaned. Anything that it has been trusted
with is subject to harm. The only protection, I believe, is to see that it is
trusted with as little as possible, POLA.
More information about the cap-talk