[cap-talk] Capabilities and Freedom vs. Safety

James A. Donald jamesd at echeque.com
Sat Jul 21 21:48:51 EDT 2007 

 >>> 2. The system-wide installation utility should be
 >>> able to install programs in such a way that (a) they
 >>> are confined when run, but (b) the user cannot
 >>> inspect their code or data.

James A. Donald:
 >> This makes it likely that such programs will not
 >> necessarily be written to act in the best interests
 >> of the user - that they will, in some sense, be
 >> Trojans or malware.

Pierre THIERRY wrote:
 > Could you detail how a Trojan or malware could be
 > designed as to effective when run confined?

Any program needs some privileges.  You may be able to
stop it from doing disastrously bad things, but cannot
stop it from doing subtly bad things.

Imagine a program that plays music, and gets free legal
music off the internet, and organizes your music files
and reports your music files to the RIAA through
backchannels that exist during its downloads of free
legal music.

For a recent real world example Microsoft office
suffered serious software bloat, resulting in
unreasonable time to load.  Microsoft therefore
installed a continually running utility that continually
accessed all Microsoft office executables, thereby
causing Microsoft office to be in memory all the time,
thereby speeding up Microsoft office, and substantially
slowing down everything else, including all competing
software.  I do not know if they still install that
malware in some new form, but the first time around,
when people caught on, they stopped.

For a recent real world example, Firefox, apparently in
return for payments from google, implemented headers in
Firefox that facilitate charging for ads, and impair
users privacy.

 > And why should an uninspectable code be more malicious
 > than one inspectable?

They are more likely to get caught, and thereby suffer
bad publicity.

 > Isn't it partly because code inspection isn't
 > effective as a practical security measure that we are
 > designing capability systems?

Defense in depth.  There is no one magic bullet.  Bad
publicity cannot deter Ukrainian hackers, but it can
deter Google.

More information about the cap-talk mailing list