[cap-talk] "Immutable Law" #1 is alive and well at Microsoft

[Jed Donnelley]

At 04:40 AM 10/7/2007, David Hopwood wrote:
>Jed Donnelley wrote:
> > At 12:59 PM 10/5/2007, Mark Miller wrote:
> >> On 10/5/07, Jed Donnelley <capability at webstart.com> wrote:
> >> > I disagree.  It isn't a fine point for the few world class security
> >> > experts that we need to pound home.  We need to communicate (inform,
> >> > sell) to the computer hoi polloi.  Even at a conference like the
> >> > Usenix Security conference I would say the majority had not
> >> > heard/conceived of systems like CapDesk or Plash or Polaris where
> >> > applications can run under POLA.
> >>
> >> You're missing my point. How many of 'em haven't heard of Javascript
> >> in browsers?
> >
> > All I would say.  However, as ?!ng and DavidH suggested (hope I'm
> > not speaking out of turn for others), they don't consider
> > Javascript running browsers 'real' programs.
>
>I didn't say that. I consider anything written in a Turing-complete
>language [*] to be a "program", and I think this is well-established
>terminology.

Sorry David.  It is this statement of yours that I was referring to:

At 10:25 AM 10/5/2007, David Hopwood wrote:
> > Ka-Ping Yee wrote:
>
> > What do they mean when they say this?
><"this" being MS immutable Las #1>
>
>They are talking about Windows executable files (not running under
>virtualization), probably. Of course they know, and will admit if
>pressed, that a "program" is not necessarily a Windows executable,
>but see above: they are too careless to think that being precise about
>this is important.

Turing complete or not, there are many things considered "programs"
(e.g. old cards for looms or analog 'computer' configurations,
etc.) that don't fit the Windows executable that the MS 'law'
applies to.  However, I'm sure they also included Unix and
Mac executables.  I believe in their thinking that is all that
was included when they argued that:

"Law #1: If a bad guy can persuade you to run his program on
your computer, it's not your computer anymore."

I believe they were referring specifically to programs run
with the ambient authority of the user.  I don't believe they
considered Javascript run in sandboxes as qualifying as a
'program' run by YOU on your computer - though if pressed they
would of course admit that such a Javascript run in a sandbox
is technically a program run on your computer and in some
sense in response to your actions, but not specifically run
by you (with your authority).

>I also think that whether Javascript programs are "real" applications
>is basically beside the point -- since the so-called "Immutable Law #1"
>doesn't qualify what programs it applies to.

Right, so that would seem to suggest that it applies to all
programs.  It is clearly wrong exactly as MarkM says, but I
don't think that would particularly phase those who believe
in the essence of this "law".  I believe they would argue
that such Javascript programs run in sandboxes are trivial
cases more like simple renderers and with no real authority.

I belive this much is clear in their Law when they say,
"If a bad guy can get YOU..."  They mean YOU with your authority
that you grant to the program running on your behalf.

This is why I still believe this "Law" is worth mentioning
and contradicting.  An essential part of the problem, I
believe, is the notion that one would generally run
programs with the authority of the user.  Until we can
show people that this isn't necessary or even desirable
and we can still achieve what the programs we run need
to achieve (not just Javascript run in sandboxes) without
Lampson claim of undo UI pain, then I think the dominant
paradigm of running programs as "users" will remain the
only way most computer users can even imagine running
"programs."

>Besides, Microsoft people
>presumably don't actually believe that an operating system cannot in
>principle enforce local security boundaries.

Sure, but as one of their most vocal spokespeople, Lampson,
says (not just about capabilities, but about POLP in general):

"I think, for example, that the Principle Of Least Privilege has done an
enormous amount of damage to security because what it encourages
you to do is to make everything fine grain and work out all the
dependencies very carefully and it's too complicated.  You can't keep
track of it.  You're bound to mess it up.  Even if you get it right today
it will be wrong three months from now.  Nobody will have the patience
to ever look at it again because there's just too much of it.  So I say
absolutely no to fine grain protection.  Everything should be as course
grain as possible because otherwise you won't be able to administer it.
That's a very unpopular position with most people.  I think there's a lot
of empirical evidence that tells us now that it's right."

"They" (Butler at least from the above) believe that POLA is
impractical and that by implication that running programs with
user authority is the only effective way to run programs,
hence Law #1.

Of course I know exactly the sort of complexity they are talking
about.  SELinux.  I believe SELinux has almost exactly the properties
that Lampson describes above.  In my experience capability systems
do not, because capabilities are natural units (parameters) of
authority that add no complexity to effectively structured OO
programs.  Also as we know with systems like CapDesk, the usual
user designation mechanisms suffices in almost all cases for
access control with implemented with capabilities and the level
of the underlying programs.

It is this belief (that POLA is too complex, running programs
with user authority is the only workable alternative - as it
exists in Windows, Unix, and Mac - and that therefore the MS
Law #1 is for all practical purposes valid) that I believe we
must dispute on high and on low.

>As I said, they just don't
>care to express what they do believe with sufficient accuracy.

I don't believe accuracy is at issue here.

>IOW, I basically agree with MarkM's position on this issue.

That position being that we should ignore MS Law #1 because
nobody takes it seriously (correct me if I've misstated your
position MarkM)?

At 09:25 AM 10/7/2007, Jonathan S. Shapiro wrote:

>I'm sad to say that the immutable law is alive and well in other forms.
>This month's MSDN magazine is focused on security, and the basic message
>is "it will always be an arms race, architecture can't fix it".

I believe the current state is worse than that.  I was very
discouraged by the state of affairs at the Usenix Security
conference.  There the prevailing attitude wasn't just that
architecture can't contribute to fixing the problems, but more
that the joy in computing is continuing to find the security
problems that we all know will continue to be there indefinitely.
That there is no point (certainly no professional benefit) in
seriously looking for solutions where it's so much more fun (better
path to career growth) to just continue to point out the problems.
Why take a chance on really trying to fix something when so
many have failed so ignominiously before you and you can make
a name for yourself just by pointing out more security
vulnerabilities in existing systems?

--Jed  http://www.webstart.com/jed-signature.html