[cap-talk] Plash: Empowering Security

Karp, Alan H alan.karp at hp.com
Sun Apr 6 18:37:30 CDT 2008 

Toby Murray wrote:
>
> Anyone interested in POLA needs to know about Plash. It's woefully
> under-hyped and much more powerful than I believe many
> (including those
> in the POLA community) are aware. I've tried to write something short,
> sharp and sweet to address this. Please read it if you're
> interested and
> give me feedback. Eventually, I'd like to push this to a
> wider audience
> to spread the word further but want to get more of a mandate for doing
> so first.
>
I agree about Plash, and I like your write-up.  I don't know if your description is accurate, but one thing does bother me.  I think your use of the terms "safe", "cannot harm", and "secure" are too strong.  Plash limits the damage that can be done by a malicious program, but it doesn't eliminate it.  For example, the program can do anything with the contents of the file it is editing.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp



> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Toby Murray
> Sent: Sunday, April 06, 2008 2:06 PM
> To: plash at lists.nongnu.org; cap-talk at mail.eros-os.org
> Subject: [cap-talk] Plash: Empowering Security
>
> Anyone interested in POLA needs to know about Plash. It's woefully
> under-hyped and much more powerful than I believe many
> (including those
> in the POLA community) are aware. I've tried to write something short,
> sharp and sweet to address this. Please read it if you're
> interested and
> give me feedback. Eventually, I'd like to push this to a
> wider audience
> to spread the word further but want to get more of a mandate for doing
> so first.
>
> In particular, comments on how far I've deviated from Plash's current
> feature-set would be most helpful.
>
> Cheers
>
> Toby
>
> Plash: Empowering Security
>
> Toby Muray
>
>
> Introduction
>
> Many people believe that in order to provide security, computers need
> to be locked-down. Users must be prevented from being able to run and
> install arbitrary software that might cause damage or otherwise
> compromise a system's security. Some fear that increasing levels of
> insecurity will hasten a trend towards systems that are less
> customisable and more appliance-like [1]. The power of the PC that
> comes from its ability to be used as a universal machine that can be
> applied to any problem might be lost.
>
> However, while this fear is certainly well founded, despite popular
> belief we do have the tools at our disposal to ensure that the PC can
> be a universal machine that is both inherently powerful /and/
> secure. This note draws attention to one particular tool in existence
> right now that is not only a proof-of-concept for this idea, but also
> a working implementation that allows users to run arbitrary software
> whilst ensuring that both they and the system they are using remain
> secure.
>
>
> Introducing Plash
>
> This tool is called Plash [2] and currently runs on Debian-compatible
> Linux distributions such as Debian and Ubuntu [*]. Plash enables
> ordinary users to install software packages that might have been built
> by anyone in the world, ensuring that the software cannot harm the
> user nor the rest of the system.  This allows non-Administrators to
> install any software they might require in order to get their work
> done.  With Plash, Administrators, meanwhile, need not lie awake
> fretting that their users will have rendered their systems insecure by
> doing so.
>
> The trick lies in how Plash provides its security. We'll use an
> example to illustrate. Suppose Bob, an ordinary user, needs to install
> a new wordprocessor to enable him to work more productively. He checks
> to see whether the wordprocessor is available as a package for his
> system, e.g. by using "apt-cache search" etc. and is pleased to learn
> that it is.  However, his delight is soon dampened when he realises
> that he doesn't have permission to install the package and must ask
> the Administrator, Alice, to install it for him.  Alice must now
> decide whether the wordprocessor can be trusted. In almost all cases,
> unless the software is well known and widely used, Alice has no choice
> but to err on the side of caution and assume it could be dangerous --
> either because it is purposefully malicious or because it contains
> vulnerabilities that, if exploited, could allow an attacker
> to comprise
> the system's security. Inevitably this leads Alice to deny Bob's
> request to have the package installed. Alice and Bob are both left
> frustrated with Bob unable to do his work. In short, nobody wins.
> Bob's PC is rendered impotent by its archaic requirement that all
> software it runs to be trustworthy.
>
> So how does Plash help? With Plash, Bob can simply install the package
> using the "plash-pkg-install" command [3].  When installing the
> package, Plash places it in its own "sandbox" so that it is unable to
> cause harm but does so in such a way that the application is unaware
> that it has been sandboxed. Plash achieves this by /virtualising/ the
> environment in which the installed package lives, thereby allowing it
> to believe it is running as normal when it has actually been
> quarantined away from the rest of the system. Bob can allow the
> wordprocessor to edit any of his files by simply using the "Open File"
> dialog as normal. Plash virtualises this dialog so that it grants the
> wordprocessor access to whatever file Bob chooses to
> open. Alternatively, if the package is configured to recognise files
> of a certain type, Bob can double-click them in the file browser to
> launch the wordprocessor, giving it access to the selected files.
>
> Plash installs the package and all of its dependencies into the same
> sandbox, thereby allowing the package access to the other software and
> libraries it needs to function. Any files that might be created when
> the package is installed are created within the sandbox so that they
> are ready and waiting when the application is run. The application can
> also create its own files within the sandbox. Finally, Plash grants
> access to standard, innocuous, facilities that the application might
> require when it is run, such as the X display system and the network.
>
> Unlike other sandbox approaches, Plash removes the need to specify
> detailed policy information for each application by leveraging the
> information that is already available about the application
> in the form
> of standard package dependencies and by making smart use of existing
> facilities like the "Open File" dialog to infer security information.
>
> More details about how Plash functions can be found on its website at
> plash.beasts.org.
>
>
> Conclusion
>
> Plash empowers users by enabling them to use their PC to its full
> potential while ensuring that it remains secure. It does so by
> allowing users to install ordinary packages into sanboxes that allow
> them to run as normal while preventing them from harming the rest of
> the system.
>
> Plash demonstrates that by using smart solutions that go beyond
> standard security measures, we can secure the PC without limiting its
> power.
>
>
> Endnotes
>
> [*] The author has no affiliation with the Plash project and is merely
>     an interested fan trying to spread the good word.
>
>
> References
>
> [1] Jonathan Zittrain, "Protecting the Internet Without Wrecking It.
>      How to meet the security threat". Boston Review, March 2008.
>
> [2] Plash: http://plash.beasts.org
>
> [3] Plash Package Tools: http://plash.beasts.org/wiki/PackageTools
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list