[cap-talk] What are caps good for? "Encapsulation"? POLA vs.confinement - meaty, vulnerable, blue sky

marcs marcs at skyhunter.com
Thu May 13 12:47:28 EDT 2004 

> On Wed, 2004-05-12 at 22:58, Jed Donnelley wrote:
> > If I'm a Web browser that interprets URLs and plays the 
> http protocol 
> > to fetch contents, what capabilities do I have that keeps me from 
> > sending messages anywhere on the Internet?
> 
> In general there isn't a wholly good answer to this, but the 
> best answer I know about is:
> 
>      You have a capability that grants the right to establish
>      connections. The implementor may filter on the basis of
>      destination.
> 
> However, your question makes an embedded bad assumption: that 
> the browser is a monolith. There are two other options:
> 
>   1. Divide the browser into the browser shell (which initiates
>      requests and must be trusted) and the visualizer (which is
>      untrusted). There is a narrow, carefully checked communication
>      channel by which the visualizer requests a new URL load.
> 
>   2. Implement URL load by a tiny piece of code that accepts a
>      URL and returns a page.

Jed, we can demonstrate these things to you with the DarpaBrowser down at HP
while we're demoing other things as well :-) As Jonathan points out, you can
separate the browser into parts such that the big complicated pieces, like
the rendering engine, can't go anywhere. In the DarpaBrowser, the relatively
small piece of window-frame driving code parses the html for links and gives
the renderer a list of locations the renderer can request to go to. 

At the application level, under CapDesk (where DarpaBrowser runs), one can
install different DarpaBrowser "pets", each of which has a different set of
capability endowments. A couple of examples of how we have used this: while
it is a great power to be able to communicate to the whole web, and it is a
great power to have read-only access to your whole desktop, combined these
two great powers are a superpower that allows the holder of both
capabilities to steal all your docs and send them to anyone. You could (and
I have, at times) created 2 browser pets, one with file: authority, and one
with http: authority. So one browser can jump easily all over the desktop,
and the other can jump all over the web. But neither has the superpower.

Similarly, you could have one pet endowed with the power to go to your
financial institution domains, and one with the power to go everywhere else
(this is not implemented in DarpaBrowser, but it is a straightforward
extension). A malicious browser would have trouble stealing your bank
password, since the pet that has the data can't talk to the browser
developer's home site (note, this is hard but not impossible, covert
channels again).

I have thought about the possibility of enabling the user to specify, for a
given application, that "no 2 pets for the same app are allowed to run at
the same time" to shut off the obvious covert channels, but it hasn't been
clear that this is a worthwhile idea, so I haven't pursued it.

--marcs

More information about the cap-talk mailing list