[cap-talk] Webbrowser Based OS.

John McCabe-Dansted gmatht at gmail.com
Sat Mar 1 04:51:03 EST 2008 

On Sat, Mar 1, 2008 at 7:44 AM, Jed Donnelley <jed at nersc.gov> wrote:
>  I personally believe that until we get capabilities visible
>  outside the API, not just at the application level, but even
>  up at the level where people are aware of them (e.g. as units
>  of sharing/delegation), we won't have a significant impact
>  on the IT world.
>
>  If others don't believe that something like a "caplib" is
>  needed (I can certainly understand that argument), then how
>  do they foresee capabilities providing value to applications
>  and more importantly to people?

Here is a rough proposal for an user level OS capability UI. This
proposal does not require any new software to be written, but rather
just reconfigure existing software.

The UI is based on the webbrowser. When a user wants to run software,
they click on a link and the software appears in the browser window,
much like a Java applet. When they open a file within a "applet" they
give the applet the right to access this file (and only that file).
The user grants special rights (e.g. access to the cd-rom) by dragging
the right into the $HOME/$URL folder.

This OS/UI allows access to much existing software based on GTK,
without need to modify the software.

Behind the scenes this is what is happening:

1) The "software" is a Klik .cmg, this is run with access to an xnest
window, and confined to $HOME/$URL.

2) We block access to network using systrace. (unless net_cookie
exists in $HOME/$URL)

3) Manage file access using Plash
  3a) Allow access to Plash's powerbox. (Supports existing GTK applictions)
  3b) For extra security disallow writes to sensitive files (e.g.
~/.bashrc) in both systrace and Plash.
[This means that unless both plash and systrace is circumvented,
attacker cannot insert a worm into users account]
  3c) if the user has dragged e.g. /dev/scd0 into $HOME/$URL, the
software can use the cdrom drive

4) Capture xnest window inside firefox using mozplugger or plugger.
4b) Allow propagation of cut buffers? See:
   -- http://fixunix.com/xwindows/91014-selection-xnest.html


-- 
John C. McCabe-Dansted
PhD Student
University of Western Australia

More information about the cap-talk mailing list