[cap-talk] Selling capabilities programming
Sam Mason
sam at samason.me.uk
Sat Jul 21 20:46:01 EDT 2007
On Sun, Jul 22, 2007 at 09:47:25AM +1000, James A. Donald wrote:
> Jonathan S. Shapiro wrote:
> > Consider a hostile Word scripting virus. It somehow
> > comes in to possession of a sensitive authority that
> > it is not supposed to have. It propagates and
> > preserves this authority by writing it to and from
> > word files as they are stored
> >
> > The only reason this propagation is possible is that
> > the capabilities are not protected.
>
> No, the reason this propagation is possible is that the
> capability is durable. What is Word doing with a
> durable capability, other than the capability to access
> its own configuration files?
If capabilities weren't durable then some protocol must exist for
processes to receive updated capabilities. How would you ensure
that only "good" processes receive these new capabilities while the
"malicious" processes don't.
Sam
More information about the cap-talk
mailing list