[cap-talk] Windows Vista: security by admonition
Toby Murray
toby.murray at dsto.defence.gov.au
Mon Jun 5 23:25:50 EDT 2006
Micah Brodsky wrote:
>The example we've been talking about is an interesting case, though. Rather
>than administering the user's ordinary privileges, UAC is about
>administering extraordinary privileges, those that modify global system
>state. ... Instead, by going out of band to a very
>compact, trustworthy broker to request particular privileges in the rare
>cases they are needed, a lot less code needs to keep administrative
>privileges around.
>
>This is not to say that such a mechanism needs to follow the admonishment
>paradigm instead of the designation paradigm, but it's frequently a lot
>easier to write a mechanically secure broker for admonitions than it is to
>write one for designations. This is what I mean by the potential hazard with
>designation.
>
That's an interesting point.
I'm sure you will agree that we shouldn't build systems by the criteria
"its easier to build this way" but rather by the criteria "it works
better this way". :)
I'm still not convinced that a broker using admonition is easier to
build though than one built using designation. CapDesk seems a good
counter example. I'm not sure that the distinction between ordinary and
extraordinary privileges is so important. From the point of view of some
application, in both cases, its trying to get privileges over and above
what it already has. In both cases it is the physical user who's at the
machine that has the authority to grant these privileges, no? Please
correct me if I've misunderstood you here, or have gone wrong somewhere
in my reasoning.
It's cool btw to have a new member involved on this list. My welcome to you.
--
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk
mailing list