[cap-talk] Ivan Krstic sells POLA at AusCert 2007

[Ivan Krstić]

On Jun 14, 2007, at 2:52 AM, Toby Murray wrote:
> Could you elaborate on who you're referring to when you say that the
> idea that modern desktop security measures are no good gets a lot of
> people upset. Are you referring to security product vendors, OS  
> vendors
> or desktop users? Perhaps all of the above, I wonder.

All of the above.

Security vendors don't want the security situation to be *fixed*.  
Their ideal situation is one where they mitigate problems if you pay  
them handsomely. This is very different than not wanting to have  
problems in the first place.

OS vendors find security to be a pain in the ass because it doesn't  
bring in money, but the vendors are still expected to do security  
work which is hard and requires non-trivial resources. Proper  
solutions for many security problems need invasive approaches that  
interfere with things that do bring in money. This is one reason that  
I don't expect we'll see the kind of breaks in application backwards  
compatibility anytime soon that would have the potential to  
significantly improve the desktop security situation.

Users are just irritated by any mention of security. They don't have  
to worry about their toaster or fridge getting hacked, and they don't  
see why their computer should be any different. But they grudgingly  
accept that it is different, and fork over some amount of money on  
anti-virus software that they basically view as an oblivion tax:  
money they're willing to give so they can choose to not think about  
the problem. So when you tell them that the oblivion tax is somewhat  
of a scam and that they're not nearly as protected as they think they  
are, you're making them think about something they've gone out of  
their way not to think about.

> In what context do you
> discusss caps while talking about BitFrost?

In the context of the community having known about better approaches  
to security for forty years. A lot of people I talk to think that  
there simply aren't alternatives to how we do security now (this  
includes security people!), and that it's this lack of options that's  
been mirrored in a lack of significant progress.

> Could you clarify your position on the need (or lack of) to use a
> capability-based approach to achieve POLA?

I think capabilities are the best way we know to get to a Platonic- 
ideal flavor of POLA. I also think pursuing this ideal flavor of POLA  
has historically been a catastrophic failure by the capsys community,  
and is the reason we haven't seen capability systems venturing much  
outside of academic fairyland and special-purpose computing.  
(Jonathan Shapiro shared his opinion on this a few messages back in  
the 'file I/O request overhead' thread.)

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D