[cap-talk] POLA focus seen as counter productive

Jed Donnelley capability at webstart.com
Sat Jun 16 11:40:01 EDT 2007 

At 08:12 AM 6/16/2007, Jonathan S. Shapiro wrote:
>On Sat, 2007-06-16 at 10:58 +1000, James A. Donald wrote:
> > Jonathan S. Shapiro wrote:
> > > I agree with both of those points. None of us seem to be building that,
> > > because it is unlikely that we *can*. The need is urgent, but you are
> > > effectively asking to retrofit defensibility onto systems that weren't
> > > designed for it.
> >
> > If something runs inside a VM, it does not matter how indefensible the
> > system is outside the VM.
>
>NONE of the current VM's successfully sandbox their operating systems.
>There are now viruses in the wild designed to escape VMs, and some
>designed to alter their behavior depending on whether they are running
>within a VM. So: no outward protection.

Hmmm.  What do you mean by "VM" above?  Are you referring to real
hardware Virtual Machine Monitors (e.g. VMWare, VM360, etc.) or to
something like a Java VM?  In the former case I would be surprised
to hear about "viruses in the wild designed to escape VMs".  If there
are such I'll be interested to learn how they work.  Specifically which
interfaces are attacked.  In the later case of course it depends on
the nature of the "VM".  Such software "VM"s are often designed with
attackable interfaces, just as with any OS whose execution environment
can be referred to, loosely, as a "virtual machine".

>If you depend on data generated by a compromised computation, you better
>have an independent way to check that data. This, of course, is true
>whether you use a VM or not. Merely adding a VM does not cause the OS
>inside to become magically protected if it has contact with the outside
>world.

The reference above referred to the protection of the "system outside
the VM" - though why I'm not sure.  Perhaps Jonathan's point is that if
you have running software that is interacting with "the outside world",
whether it is in a VM or not, it has to deal with protecting itself
in it's communication?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list