[cap-talk] POLA focus on client/server remote execution

Jed Donnelley capability at webstart.com
Thu Jun 14 13:23:43 EDT 2007 

At 09:33 AM 6/14/2007, Jonathan S. Shapiro wrote:
>On Thu, 2007-06-14 at 09:00 -0700, Jed Donnelley wrote:
> > >There are many people who will try to sell that to you if you ask for
> > >it, but there is nobody who can actually *solve* that problem.
> >
> > Interesting.  I had no idea there was such negativity about
> > capabilities (POLA) in these areas.  How do others feel about
> > this topic?  Is this picture as bleak as Jonathan paints it?
>
>This is not negativity about capabilities at all.

Sorry about the word.  Perhaps I should have used "pessimistic"?

>Yes, you could insert sandboxing environments.
>
>But MANY sandboxing environments of these forms have been done already,
>so we need to ask: why have they failed?

Good question.  How about with regard to the DARPABrowser?  I wonder
if it might 'just' be that significantly more work is needed to properly
integrate with the existing environment.

>The answer is that the things we are sandboxing are not "respectful" of
>sandboxes. This is not a flaw in the sandboxes. It is a conflict of
>requirements.

One that it seems to me could be fairly easily handled if the
'sandboxes' were given priority.

Still, the term "sandbox" seems to me a bit limited.  I don't think
of a "sandbox" as a POLA environment.  In a POLA environment objects
can be places into the "sandbox" under external (e.g. the "Power Box")
control.  This seems a bit more than the way I've heard the "sandbox"
term used.

>On the one hand, people want safety, but on the other they
>are unwilling to tolerate the failure of plugins that engage in unsafe
>behavior.

This seems perfectly reasonable to me.  In the above it seems to me
you are focused on the initialization (what we've sometimes referred
to as a profile) for an application.  This is an area that of course
needs to be worked out, but we've noted what I consider to be very
workable approaches on this list.

Regarding:

At 09:45 AM 6/14/2007, Stiegler, Marc D wrote:
>On Thu, 2007-06-14 at 09:00 -0700, Jed Donnelley wrote:
>...
> > Why not?  Let's take the case for client side Web 'page' executables.
> > Doesn't the DARPA browser fit this bill?  If not, why not?
>
>DarpaBrowser certainly demonstrates how to do this. If Google doesn't
>put markm to work retrofitting such secure cooperation functionality
>into the browser, they will have erred grievously :-)

Interesting.  I'm not aware of any significant Google browser
contributions to this point - certainly not regarding POLA, but
it does seems something of a natural area of interest for them.

I hope something like the above works out!

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list