[cap-talk] Selling capabilities programming
Jonathan S. Shapiro
shap at eros-os.com
Fri Aug 3 10:36:00 EDT 2007
On Fri, 2007-08-03 at 13:27 +1000, James A. Donald wrote:
> James A. Donald wrote:
> > > Present day well behaved programs in present day
> > > operating systems restrict their file accesses to
> > > files that the user expects them to: their own
> > > directories, and the files that the user directs.
> > > They act as if they never acquire any durable
> > > capability to access any file from the user or human
> > > system administrator.
>
> Karp, Alan H wrote:
> > Unless a macro script embedded in the file directs
> > them to do otherwise.
>
> I said "well behaved".
James:
I think it is fair to say that people here put "well behaved programs"
in the same category as "Santa Clause". They are things that basically
don't exist. Today's well-behaved program is tomorrow's scripting virus
engine.
I have lost the context on this thread, so forgive me if I am
repetative:
Assessments of well-behaved behavior are useful when you are building
things like penetration detection mechanisms, system call monitors, and
the like. Basically, they define (by omission) what constitutes
anomalous behavior.
One problem with this approach is that the range of well-behaved
behavior is much broader than even the developers remember, so it is
very hard to build accurate profiles. Further, the range changes rapidly
as the program evolves. This is why, for example, SELinux policies are
always scrambling after the latest versions.
Another problem is that virus authors know this profile, and many of the
mechanisms used for propagation can be accomplished within the limits of
expected behavior.
shap
More information about the cap-talk
mailing list