[cap-talk] POLA focus on client/server remote execution

Jed Donnelley capability at webstart.com
Thu Jun 14 12:00:02 EDT 2007 

At 07:55 AM 6/14/2007, Jonathan S. Shapiro wrote:
>On Thu, 2007-06-14 at 08:07 +1000, James A. Donald wrote:
> > There is an urgent need (needs where people will pay
> > money for solutions that actually work) client side for
> > an environment in which highly untrusted code - code
> > within emails and web pages - may run.
> >
> > There is also an urgent need, server side, for a safe
> > environment in which to run code that comes under severe
> > attack...
>
>I agree with both of those points.

Uh ...  Perhaps that's an area we should then focus on.

>None of us seem to be building that, because it is unlikely
>that we *can*.

Why not?  Let's take the case for client side Web 'page' executables.
Doesn't the DARPA browser fit this bill?  If not, why not?

>The need is urgent, but you are effectively asking to retrofit
>defensibility onto systems that weren't designed for it.

Of course that is what Polaris and Plash are doing.  Why can't
something similar be done for these example environments of
Web page and email executables.  In fact, for the email area
what about Polaris and Plash themselves?  Couldn't an email
client be set up (e.g. what about a Thunderbird "plugin"
or the like) to link to a Polaris (for Windows) or a Plash
(for Unix) environment?  In that case my email client would
no longer have to warn me about by initiating an executable,
but could pop up a power box to provide it any permissions
it might need.

For the browser situation same story.  Can't something like
a Polaris or Plash plugin be added to a browser (e.g. Mozilla)?
With that approach they could execute arbitrary code - something
that of course hasn't been considered for the client side
of a Web interface because of the obvious danger without such
a POLA environment.

Briefly on the server side - same story only easier.  There it
would seem that Polaris or Plash could be linked to directly.

>There are many people who will try to sell that to you if you ask for
>it, but there is nobody who can actually *solve* that problem.

Interesting.  I had no idea there was such negativity about
capabilities (POLA) in these areas.  How do others feel about
this topic?  Is this picture as bleak as Jonathan paints it?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list