[cap-talk] Concrete application, WebCVOS (was: Selling capabilities programming)
James A. Donald
jamesd at echeque.com
Fri Jul 20 02:26:33 EDT 2007
David Wagner wrote:
> Yes, but I don't think they're useful for what James
> wants, namely, for sandboxing. There are thousands of
> OS traps on Windows. It is not feasible to build a
> high- or even medium-assurance jail when you must
> mediate all thousands of those entry points.
Of those thousands, probably a only need to hook a quite
small number. Unfortunately, an inadequately documented
number.
> Also they are undocumented and subject to change with
> every Windows version. That's a complexity nightmare.
> What are the chances that your mediation logic does
> not have a single hole? Second, my understanding is
> that many of the mechanisms that are ordinarily used
> to hook that API are bypassable: if the application is
> malicious, it can bypass the hook.
In windows, typically a ring three non Microsoft program
calls ring 3 microsoft object code, for which there is
no source available, which eventually makes unknown
interactions with Microsoft code at ring<3. To sandbox
windows, would need to hook these unknown and
undocumented interactions between ring 3 Microsoft code
and ring<3 Microsoft code.
Sandboxing linux is easier, since source code available,
so one can hook a small number of known ring level
transitions and ignore the rest, as I assume Plash does.
(Correct me if I am wrong - I do not understand Plash to
the level of ring level transitions)
More information about the cap-talk
mailing list