[cap-talk] Capabilities in C# (revised)

Stiegler, Marc D marc.d.stiegler at hp.com
Thu Nov 2 19:00:34 CST 2006


 

> 2. added two slides on the CapDesk and the DarpaBrowser 
> (spoofing and unmatched security guarantees; let me know if 
> I've overstated the case here)

Aaaah...hmmm. Multi-compartmented workstations can match the security
guarantees, they are just too hard to use. Which is why I try to talk
about "security cooperation" rather than "security", because our blend
of security and functional cooperation really is unmatched. A correct
sentence, probably too complicated to be put on a slide, might be the
following (trim it to be a slide): 

Security guarantees beyond what can be supplied with traditional
desktops (windows, mac, gnome, kde) with comparable ease of use and
functionality now turned off on Windows because it is "too dangerous". 

The slide about the darpabrowser isn't quite correct. The darpabrowser
is a web browser launched from CapDesk that can launch malicious plugins
and full-power malicious web applications with surprisingly limited
risk; even if the darpabrowser itself were written to be malicious, the
harm it can do in the CapDesk environment is also surprisingly limited.

Security people have the necessary but unfortunate perspective that you
really need to trail the endless, appropriate qualifiers in front of
people so your solution doesn't sound too magical. In fact, the secret
truth is, object capabilities on the desktop is, if not a silver bullet,
at least a 90% cure for bringing an end to the current security
absurdity in which over half of home pcs are zombies. But you can't say
it because people won't believe you, and worse, the first time something
that can be construed as a breach happens, you will be accused of lying
about it.

The slide "It's just good oo design" is a beautiful addition.

--marcs




More information about the cap-talk mailing list