[cap-talk] Capabilities and Freedom vs. Safety

[Stiegler, Marc D]

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org 
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Pierre THIERRY
> Sent: Saturday, July 21, 2007 9:10 PM
> To: cap-talk at mail.eros-os.org
> Subject: Re: [cap-talk] Capabilities and Freedom vs. Safety
> 
> Scribit James A. Donald dies 22/07/2007 hora 11:48:
> >> Could you detail how a Trojan or malware could be designed as to 
> >> effective when run confined?
> > Imagine a program that plays music, and gets free legal 
> music off the 
> > internet, and organizes your music files and reports your 
> music files 
> > to the RIAA through backchannels that exist during its downloads of 
> > free legal music.
> 
> That sounds like an application of the Principle of Most Authority...
> Why would I ever want to have a single program have so much 
> authority at once?
> 
> Why wouldn't I just have the following separated programs:
> 
> - one to play music (only authorities: reading files I ask to play and
>   sound output),
> - one to organize my music (authority: reading all my music 
> files, maybe
>   some kind of powerbox to delete them),
> - one to download music (authority: restricted network access 
> and adding
>   new files to an incoming directory),


I presume the issue here is that the program with this set of
authorities can spy on you and inform the RIAA about all your music, at
the same time that it is downloading legal music.

Several points:

-- It is certainly possible to design applications that use dangerous
combinations of authorities. POLA does not guarantee you can run all
possible applications from all possible sources. It merely maximizes the
number of applications you can run from the largest number of possible
sources. In the above example, in the absence of special trust, the
application downloading legal music must be confined from the
applications that can read all the music.

-- Sometimes, combining a bunch of different activities that require a
bunch of different authorities is useful to the user, but surprisingly
often it is not. My favorite example is the original StarOffice, which
was a single application that processed all your word, sheet,
presentation, and html files. That version of StarOffice really
demanded, in POLA terms, that it be granted vast authority. However, it
was also so clunky that the developers wisely decided to break it down,
in later versions, into separate applications. They did not break it
down for security reasons, they did it for usability reasons.

-- Sometimes, however, it is useful, the classic example is the Web
browser. A Web browser necessarily needs so much authority that it is
better thought of, not as an application, but as a launching component
of the TCB. So you have to get your browser from someone you trust with
all the knowledge that the browser collects (bookmarks, passwords,
browsing histories, and on and on). 

So if it turned out to be attractive to have a single app download
music, play music, and organize music, you would need to make a
decision, even in a POLA system, whether you trusted the manufacturers
not to spy, or whether to choose other software. So while this is a
disappointing limitation of POLA, I know of no way to do better than
this, with any technology. In the physical world, a good analogy is,
just because you implement POLA in your building by using different keys
for every room, you may have to decide to clean the floor yourself in
the room that stores the gold, because, even with POLA, you probably do
not want to give the janitor the key to the gold room.

--marcs