[cap-talk] 'IX/Windows API problem for POLA? Polaris

Thu Nov 17 20:24:35 EST 2005

At 02:19 PM 11/17/2005, Karp, Alan H wrote:
>Jed wrote:
> >
> > I hope my comments about Plash clarified what I meant when I
> > suggested that mechanisms like Plash and Polaris "fight" the native
> > access control mechanisms.  Specifically they are not integrated into
> > the UID owner,group,other and rwxs sorts of access control.  They are
> > separated from it, thankfully.  The native access controls are
> > ambient authority and the Polaris/Plash access controls are fine
> > grained and suitable for "less authority."  They are also not
> > permanent in surviving across system restarts (I know for Plash - I'm
> > not so sure for Polaris).
>
>Polaris works by launching the application in a restricted user account
>then adding the authorities to the file the user has designated.  It
>makes full use of "UID owner,group,other and rwxs sorts of access
>control."  That means the application is still working with ambient
>authorities and is still subject to confused deputy.  It's just that the
>set of authorities is so small that the ambient set is close to what you
>want anyway, and there's little to be confused about.

I see.  Thanks for the clarification.  I'm surprised I didn't get at 
least that out of the Polaris reading I did, though perhaps I did and 
just forgot.

>Polaris is very definitely NOT a capability system.

Right.  From my perspective that is because there is no communicable 
unit of permission - e.g. as there is with Plash where Unix open file 
descriptors are used to communicate permissions.

> > Let me ask you Alan what I asked about Plash.  Do you see any path
> > toward the kind of growth needed for relevancy for Polaris?  Given
> > it's state as an HP product (I assume) it seems to me even more
> > difficult for it to transition to a relevant growth curve.
> > How do you see it?
>
>We are in the business development process now.  Actually, we're in it
>again.  I had built up a set of contacts interested in pursuing
>productizing Polaris.  They all took the latest early retirement
>package.  I've had to start over, but I'm beginning to make progress.
>If I succeed, there's a chance there will be a polarized browser on
>every consumer PC HP ships and that many of our enterprise machines
>would have that and more apps polarized.  That should meet your
>definition of a "relevant growth curve."

Hmmm.  It isn't the sort of relevant growth curve that I'm familiar 
with in terms of a ground swell of interest/use.  I guess it would 
depend on what happened once it was out there on all those 
systems.  If people used it and began to clamor for such a facility 
on all their systems, then that would definitely be 'relevant 
growth.'  Unfortunately only 'polarizing' a browser and possibly a 
few apps would seem to make that somewhat difficult.  As soon as the 
next browser update comes out (still a pretty volatile area I would 
say), they might end up leaving their polarized browser 
behind.  Naturally it would be vital to be able to support all the 
plugins and such that people need in their browsers.  Having a 
browser safe from Trojan horses in the form of such plugins is of 
course an important added value, but it would have to work for people 
'in the field.'

One other concern I have about Polaris is that it's not open 
source.  There doesn't seem to be much to do about that.

>Unfortunately, although Polaris supports POLA, where L is "Less" not 
>"Least", it isn't capabilities.

As with Toby, I'm quite willing to walk before I run.  I just want to 
see some paths to real sustainable progress in the POLA area - even 
Less instead of Least.

Good luck with your efforts to get Polaris distributed Alan!

--Jed http://www.webstart.com/jed/ 