[cap-talk] Capabilities in C# (revised)

Sandro Magi naasking at higherlogics.com
Thu Nov 2 21:42:14 CST 2006

Stiegler, Marc D wrote:
> Aaaah...hmmm. Multi-compartmented workstations can match the security
> guarantees, they are just too hard to use. Which is why I try to talk
> about "security cooperation" rather than "security", because our blend
> of security and functional cooperation really is unmatched. A correct
> sentence, probably too complicated to be put on a slide, might be the
> following (trim it to be a slide): 
> Security guarantees beyond what can be supplied with traditional
> desktops (windows, mac, gnome, kde) with comparable ease of use and
> functionality now turned off on Windows because it is "too dangerous".

Hmm, David Wagner is more optimistic of the claims. :-)

I left the paragraph more or less as-is for now, and added, "They
provide this safety with the same easy interface as Explorer, KDE,
Gnome, etc."

> The slide about the darpabrowser isn't quite correct. The darpabrowser
> is a web browser launched from CapDesk that can launch malicious plugins
> and full-power malicious web applications with surprisingly limited
> risk; even if the darpabrowser itself were written to be malicious, the
> harm it can do in the CapDesk environment is also surprisingly limited.

Right, this last property is what I was trying to convey: even if the
entire browser is compromised by some attack (as Firefox and IE have
been), the damage would be severely limited. I considered another slide
about how IE 7 and Firefox 2.0 both had more than 2 vulnerabilities
published within a week of their release, but it's a bit too much of a

I was considering adding "potentially", as in, "DarpaBrowser is a
potentially malicious", rather than the current, "DarpaBrowser is a
malicious". One more long word, but closer to the truth.

Or perhaps you would prefer something like:

The DarpaBrowser is a simple, extensible web browser that can *safely*
load and run any sort of malicious plugin or web-application.

> Security people have the necessary but unfortunate perspective that you
> really need to trail the endless, appropriate qualifiers in front of
> people so your solution doesn't sound too magical.

Yes, I think it's a trait common to technically-oriented people in
generally actually, as they are excited to communicate a solution
they've found to a tricky problem; in order to appreciate the solution,
you clearly need most of the steps, so you can understand and explain it
to others. :-)

> In fact, the secret
> truth is, object capabilities on the desktop is, if not a silver bullet,
> at least a 90% cure for bringing an end to the current security
> absurdity in which over half of home pcs are zombies. But you can't say
> it because people won't believe you, and worse, the first time something
> that can be construed as a breach happens, you will be accused of lying
> about it.
> The slide "It's just good oo design" is a beautiful addition.

Thanks. This was the example I had originally tabled. Glad I could fit
it in without it being too cramped.


More information about the cap-talk mailing list