[cap-talk] 'IX/Windows API problem for POLA? Polaris

Jed at Webstart donnelley1 at webstart.com
Fri Nov 18 20:52:58 EST 2005


At 05:16 PM 11/18/2005, Karp, Alan H wrote:
> > -----Original Message-----
>...
> > At 08:42 AM 11/18/2005, Karp, Alan H wrote:
> > >Jed wrote:
>...
> > That sounds good.  Then with regard to plugins?  If I add, say,
> > a flash plugin to my browser, how does that addition work in
> > a POLA manner?
>
>The plugin runs with the permissions assigned to the browser account.
>You install the plugin using the unpolarized browser because that's
>where you have the needed permissions.  When you start the unpolarized
>browser, the plugin is ready to use.  All this happens automatically
>because we don't touch the executable; we just change the way it's
>launched.

Hmmm.  I'm a bit lost in the above.  Perhaps if this is too detailed for
the list you can respond privately.  I'll keep it hear and leave that up to
you Alan.

You say that "you install the plugin using the unpolarized browser 
because that's
where you have the needed permissions.  When you start the unpolarized
browser, the plugin is ready to use."

I can understand that much of course, but presumably when I start the
unpolarized browser with the plugin it is also not safe from Trojan horses,
esp. the plugin being a Trojan horse.  What I don't see is how I get the
potentially unsafe plugin to run in the polarized browser with the permissions
it needs.

> > >The reason for polarizing just the browser on consumer machines is to
> > >reduce the support costs.  Since most of the bad stuff gets
> > >onto those machines through the browser,
> >
> > through plugins and such as above?
>
>Mostly through ActiveX controls.

Hmmm.  Perhaps that's an area where I don't know enough to ask
the right questions.  I haven't used IE for some time and I don't really
know what the issues are with ActiveX.  Presumably Polaris can
"polarize" other browsers such as Firefox?

> > >this approach gives the most protection
> > >for the least risk of unexpected behavior.  I did an
> > experiment here at
> > >Labs with a very early version of Polaris.  The only service
> > calls I got
> > >were related to usability glitches that have since been
> > fixed except for
> > >one IE bug that shows up under Polaris.
> >
> > Of course one other area where "bad stuff" gets onto systems is when
> > people pick up executables from who knows where (e.g. email
> > attachments, software from Web site X, etc.) and run them.  Does
> > Polaris provide help in that area - e.g. with a default
> > minimal permission
> > set (e.g. muxed keyboard and a window) and then bringing up a
> > "powerbox"
> > for any other access?
>
>Unfortunately, there's no way for us to get into the double-click path
>for certain file extensions, such as .exe and .cmd.  That means that the
>program will run with your full authority if you double click.  However,
>if you change the file extension to .boxed, when you double click, the
>program will run in a restricted user environment.  The Alpha release
>even has a way to automatically add the extension when saving an email
>attachment.

That seems pretty reasonable to me.  It would seem to fall into the walk
before you run category.

However, just for my curiosity, what authorities are given to a .boxed
application?  For example, are such applications automatically given
read/execute access to shared libraries?  Do you (or does anybody)
have any experience running random application so "boxed" and seeing
how much trouble one might run into having to "powerbox" needed
access to things like config libraries, fonts, etc., etc. before you get
to the meat of what the application really needs to access?

If that much is clean then I would say you've got quite a valuable
facility there.  Heck, I'd like to use it.  I could get back into the business
of running some of those executables that people used to send me before the
Trojan business got out of control.

--Jed http://www.webstart.com/jed/ 



More information about the cap-talk mailing list