[cap-talk] Non user interface attacks (was: Re: High level dissonance)

Jed Donnelley capability at webstart.com
Sun Feb 24 22:04:57 EST 2008

At 11:26 PM 2/23/2008, Ivan Krstić wrote:
>On Feb 23, 2008, at 7:10 PM, Karp, Alan H wrote:
> > It's a bit general because there are some attacks that are not on
> > users, e.g., some viruses.

>I submit anyone making this statement is 
>thinking about the problem incorrectly...

At 02:17 PM 2/24/2008, Karp, Alan H wrote:

>The context of my remark was in regard to 
>thinking about the user interface in designing 
>secure systems.  A number of attacks don't 
>exploit flaws in the user interface, e.g., a 
>macro virus in a spreadsheet or a drive by download.

I interpret the above as saying that some attacks are not
on user interfaces (rather than not on users).  Even then I
think one could question it, but to me it seems clear that
some underlying systems simply provide no means to deliver
user interfaces that are effective in a security/protection
sense.  For example, with the typical ambient authority
operating system where programs run as users, there is no
way to provide the security/protection value of a "power box".
The interface equivalent, an open file window, differs in
that the open file windows says:

"I have access to all your files and don't need any sort
of permission to access them all.  However, I deign to
give you some option about which file I should open on
your behalf."

The power box equivalent is saying:

"I can't open any of your files.  If you would like me
to work on one of your files, you need to tell your power
box which one to open and have it give me access to it."

The user interface can be exactly the same, even the
intent is the same (specify a file), but the security/
protection implications are entirely different.
An attack in an application (like Alan's macro and
download examples) is able to do hugely more damage
in an ambient authority system even though the exact
same user interface is used in both cases.  In that
sense I would say that the attack isn't on the user
interface, though I would agree that such an attack
is ultimately on the human "user".

--Jed  http://www.webstart.com/jed-signature.html 

More information about the cap-talk mailing list