[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[James A. Donald]

David Hopwood wrote:
 > A more common example is that each instance of an
 > editor should only be able to read and write files
 > designated by the user for that instance; not any file
 > that the editor program has ever been asked to edit.
 > (There is a nontrivial, but solvable, design problem
 > here in how to support 'Recently used file' lists.)

Which would seem to require yet another kind of
powerbox, in addition to the file open powerbox.

Retrofitting however, is an insoluble problem, for
though almost all programs use the same module for their
file open and file save dialog, each program handles
recently used file lists differently.

Recently Microsoft has been standardizing the handling
of recently used file lists, but most programs have not
yet standardized.  In order for the amount of highly
trusted software to be small, all programs using
recently used file lists will have to use the same
powerbox.  Powerboxes require that common functionality
be standardized into common trusted modules, but
existing software is, for the most part, not
standardized, and each such program has to be modified -
and it will not be modified.

Recently used file lists normally should appear as part
of the file menu.  The powerbox therefore has to display
the file menu, based on a resource provided by the
program, and receive the user clicks.

Most programs, probably all programs, use standard
software for displaying menus, so the powerbox can hook
existing standards at that point, but existing programs
will require some per-program hacking, with the result
that future releases not specifically written for the
secure environment will break in that environment.   For
programs specifically modified to use standardized
recently used file lists, the recently used file list
should be just another menu item type, delegating to the
powerbox the task of remembering what files were
recently accessed via this menu.

For existing programs however, the program as written,
and the powerbox, will do their remembering in parallel,
and will inevitably get out of sync.   The likely cost
of fixing this excessive authority appears extremely
high.  It will likely be easier to persuade software to
use standardized recently used file lists before closing
this excessive authority.

A way of handling the transition less likely to
aggravate the user is to make non standard recently used
file lists a deprecated install type.  The install
script can give a program the dangerously great
authority to write to any of the last n files it has
been allowed to write to, but use of this authority is
deprecated, and use of standardized recently used file
lists recommended, with the warning that at some future
date an install time request for the authority necessary
to use non standard recently used file lists will result
in install time user dialogs that may well irritate,
frighten and confuse the person doing the install