[cap-talk] Language and/or multi process/IPC security (prev: Windows Vista: security by admonition)

Ian G iang at systemics.com
Tue Jun 6 09:18:57 EDT 2006 

David Wagner wrote:

> Modular reasoning seems pretty important to reasoning about the security
> properties of programs of non-trivial size.  For that reason, memory-safe
> and type-safe languages seem useful.

There's also an economic angle.  Most of the world's
programmers cannot deal with the complexities and
the finely detailed concepts that are talked about
here.  And they are the ones who write the code, so
they are more relevant than us, again in aggregate
economic terms.

But this notion runs slap bang into their desire for
power and expressiveness.  Programmers will always
choose the powerful over the secure, as they are
paid on delivery, not protection.

David wrote elsewhere:
 > If so, I don't see any reason why you would need a full command-line
 > shell.  If you're building a GUI system along the lines of MS Windows,
 > all you need is the ability to launch new programs in response to user
 > requests.  You don't need to be able to specify complex pipelines,
 > job control, command-line editing, arguments, etc.  Yes, the program
 > launcher is part of the TCB, and yes, it needs a trusted path to the
 > user.  But I see no reason that a program launcher needs to be complex
 > (and certainly no need to be anywhere near as complex as Explorer).
 > It seems eminently feasible to build a secure program launcher.


Saying that the ability of the Unix shell to combine
and launch programs in interesting ways is bad for
security might be true .. but it misses the economics:
The shell was incredibly successful because it gave
the programmer the power and expressiveness to
combine simple programs in interesting ways.  The
cat(1) phenomena, in other words.

This demand for expressiveness is still going on,
but it has moved "up the stack" into gui areas.  The
Firefox browser is (I gather) a complete programming
language platform in javascript that allows plugins
and even users to do anything in it.  Of course for
security this is a nightmare, and the new exploits
seen earlier this year are concentrating on exactly
that.  (Others might say more here...)  But for
expressiveness, there is an explosion of plugins
and usages that has caused something extraordinary
- made Firefox into a successful product.

When Jed says:

 > Firstly I think it kind of sad that so few people (even people on this list)
 > have direct experience with capability based (generally POLA) systems.

What that raises as a question in my mind is whether
the systems that have been tried have been secure,
but too inexpressive to be interesting.  Indeed,
given that applications programmers will always
choose expressiveness over security, is there any
economic model at all in building for security,
first?  Are we in a world where we can only play
catch-up?


iang

More information about the cap-talk mailing list