[cap-talk] some bitfrost answers

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Feb 11 21:37:13 CST 2007 

Ivan Krstić wrote:
> Marc continues:
> 
>> There are nonetheless things that make me despair, as the preface to
>> the solitaire example [...] Well, in fact, the difference is barely
>> interesting, despite the discussion that follows the above excerpt,
>> which is an interesting narrative in which all the words make sense
>> but, for me at least, the sentences do not.
> 
> I'd really like the document to read well, so I'm happy to see any ideas
> about rephrasing or rewriting parts for clarity. That said, I find the
> difference between the two kinds of software very interesting, just not
> at the technical level. More below. And don't despair so easily. It's
> bad for your nerves :)
> 
> David Hopwood chimed in about this difference:
> 
>>The value of a) protecting the integrity of software (making it 
>>read-only and cryptographically authenticated); b) giving it no more 
>>authority than it asked for; does not depend on any particular piece 
>>of software being benign. a) and b) can and should be done for all 
>>software, regardless of how benign or malicious it is. It doesn't 
>>matter (even if it doesn't have any benefit) that we do a) and b) 
>>also for malware.

As I pointed out in a followup:
> And incidentally, it does have benefit even for malware. If the user grants
> authority A to malware package P, and authority B to malware package Q, but does
> not give P authority to communicate with Q, then package P should not be able to
> get authority that is in B but not A.

I.e. different malware packages must be isolated from each other.

>>This is important since the system *doesn't know*
>>which software is benign and which is malicious -- not even when it 
>>is cryptographically authenticated.
> 
> Let me explain what I was getting at.
> 
> Bitfrost lets software request whatever permissions they want at install
> time, modulo some exclusions that make it hard to request a set that
> lets you be directly malicious. At the technical level, because you
> can't assume that all software will be benign, it doesn't make any
> difference that some is,

Well, it does precisely for the reason you describe below. I'm not sure
why you describe an argument that says otherwise as being true "at the
technical level"; AFAICS it's false whenever we don't assume that all
software packages are equally malicious *and* are all granted identical
permissions by the user at run-time.

> so I could have designed Bitfrost to have no
> permission request model whatsoever: applications could just start with
> all the permissions, minus the ones they can't have because of the
> exclusions. You could say that the system would be no less secure this way.
> 
> One level up from the technical side of things, if you assume that most
> software people install is in fact benign (which I firmly believe on
> intuition and from observation, but can't claim authoritatively since
> there's no data), then a system which provides a fine-grained
> requestable permission model is going to be pointedly /more/ secure,
> because most software will cooperate and shed many privileges it would
> normally have.

That's what I thought you probably meant. However, as it is currently written,
the document is easy to misinterpret.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list