[cap-talk] "Immutable Law" #1 is alive and well at Microsoft
Jed Donnelley
capability at webstart.com
Sat Oct 6 15:49:43 EDT 2007
At 12:59 PM 10/5/2007, Mark Miller wrote:
>On 10/5/07, Jed Donnelley <capability at webstart.com> wrote:
> > I disagree. It isn't a fine point for the few world class security
> > experts that we need to pound home. We need to communicate (inform,
> > sell) to the computer hoi polloi. Even at a conference like the
> > Usenix Security conference I would say the majority had not
> > heard/conceived of systems like CapDesk or Plash or Polaris where
> > applications can run under POLA.
>
>You're missing my point. How many of 'em haven't heard of Javascript
>in browsers?
All I would say. However, as ?!ng and DavidH suggested (hope I'm
not speaking out of turn for others), they don't consider
Javascript running browsers 'real' programs.
This is where I think this topic and the one about a Javascript
"Power Box" come together. If there was a way for Javascript
programs running in a browser to access local resources
(e.g. files, printing, ...) then I think people might begin to
take it more seriously as a "program" that could be subject
to the first law with a concern about bad guys. At that
point I think it would be clear that the same POLA model
could (should) be applied to ordinary programs run under
the OS.
This brings me to:
At 05:15 PM 10/5/2007, Mark Miller wrote:
>...
>2) I was incorrectly saying that if we don't find such experts, e.g.,
>if these two don't count, then we should stop beating this straw man.
>I was indeed wrong to tie these issues together. Even if Scott Culp is
>as renown as Butler Lampson, I still think we should stop beating this
>straw man. Anytime the "law" comes up, just say "What about
>Javascript?" and be done with it. Let's not try to make the case for
>POLA by making a big deal of a silly statement that's so trivially
>refuted.
I believe that is the point. Without some way to access resources
(which Javascript doesn't have), Javascript running in a browser
sandbox doesn't qualify as a full fledged running "program",
so people can argue (even I could argue...) that the First
Law still applies even with the Javascript case considered.
I think people think of Javascript as more like flash or
various renderers. Sure it has interactivity, but it can't
access anything, so it isn't really a running "program".
This is where I start to get afraid. My fear is that
some mechanism will be added (hacked, kludged) to allow
access to individual files to be accessed by Javascript
scripts running under browsers, and people will consider
the job complete.
To me what is needed for completion is parameter passing
of object access (shh... capabilities) that permits combining
mutually suspicious modules. Because of this I consider
the mashup 'problem' a better test case for capabilities.
--Jed http://www.webstart.com/jed-signature.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20071006/8f227f37/attachment.html
More information about the cap-talk
mailing list