[cap-talk] some bitfrost answers

[Ivan Krstić]

David Hopwood wrote:
> I.e. different malware packages must be isolated from each other.

Right. This is normally not a concern with Bitfrost, because bundles are
completely unaware of other installed bundles and can't interact with
them; the problem that actually arises is the limitation this places on
the programming model. Legitimate inter-application interactions exist,
and it's not clear to me yet what those are and how to permit them. This
is one of the things I'll be spending a lot of time thinking about in
the next few weeks. Thoughts and examples welcome.

> Well, it does precisely for the reason you describe below. I'm not
> sure why you describe an argument that says otherwise as being true
> "at the technical level"

"In terms of lower bounds on security" might be a better phrasing than
"at the technical level". Because you can't tell good software from bad,
you're no better off in the worst case (fully malicious software) with
the requestable permissions than you are without them. Once you throw in
a particular set of (reasonable) assumptions about use patterns, this is
no longer the case, but from that you still can't conclude that
requestable permissions actually increase system security by themselves,
which is what I meant by "at the technical level".

> That's what I thought you probably meant. However, as it is currently
> written, the document is easy to misinterpret.

That's useful feedback. I've added an entry to my TODO list to clarify
that section.

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D