[cap-talk] Windows Vista: security by admonition
David Wagner
daw at cs.berkeley.edu
Mon Jun 5 16:36:26 EDT 2006
David Hopwood writes:
>David Wagner wrote:
>> Micah Brodsky writes:
>>>More fundamental than needing trusted input is having a privileged,
>>>protected shell.
>>
>> I don't see any reason why you would need a full command-line
>> shell. If you're building a GUI system along the lines of MS Windows,
>> all you need is the ability to launch new programs in response to user
>> requests. You don't need to be able to specify complex pipelines,
>> job control, command-line editing, arguments, etc.
>
>I don't see why it isn't feasible to specify complex pipelines, job
>control, command-line editing, and program arguments in a secure shell.
>None of these are rocket science.
Well, I'm not disagreeing. I'm not agreeing, either. I'm deliberately
not taking any position about whether it is feasible to build a
trustworthy shell/launcher with all of these features. I think that is
a distraction. All I'm saying is that you don't need these features to
build a useful and secure GUI system. It doesn't matter to my argument
whether you believe that it's feasible to provide all those features;
I hope you'll agree with my conclusion either way, or tell me where I
went wrong.
In other words, I'm trying to refute Micah Brodsky's argument, and I
claim that my refutation should be convincing no matter what you believe
about the feasibility of supporting those advanced features (i.e., we
don't need to settle the question of whether it is feasible to build a
shell/launcher with all these questions to decide whether my refutation
of Brodsky's argument succeeds). I'm curious to hear whether you think
these claims are convincing, though.
More information about the cap-talk
mailing list