[cap-talk] Failure isolation (was: Re: images and capability security)

Jed Donnelley capability at webstart.com
Sat Mar 15 14:47:40 EDT 2008 

At 10:42 AM 3/15/2008, Toby Murray wrote:
>On Sat, 2008-03-15 at 08:57 -0700, John Carlson wrote:
>...
> >  you want the bug to happen in user
> > space.  Which would be an argument for not putting file formats into
> > the kernel, drivers, or graphics cards,
>
>...so long as when it executes, it does so
>without the authority to do any more than interpret the image, perhaps
>placing raw pixel data into a predefined buffer somewhere or whatever.

I believe the above is the key point.

However, saying:

>Put the code wherever you like

seems to me overstated, since the authority a program
has seems in so many instances to depend on "where"
it is.  Typically code placed in the 'kernel', for example,
has as much authority as is possible in a system.  In
some ways that defines the term "kernel".  Code in
drivers are also generally similarly trusted with
all the keys to the castle - though I believe what
Toby is suggesting above is that they need not be.

The key to deriving security value from POLA, as Toby
suggests, is insuring that when programs execute they
have only the authority they need to do what is being
asked of them.  In the case of image rendering code,
as Toby notes, it only needs the authority to read it's
input and to write it's output.  Any other authority
(e.g. to access other files, to access the network,
etc.) can only cause problems, and we see exactly those
sorts of problems coming up again and again in the
sorts of security problems that John noted.

I believe that POLA is exactly the solution to those
problems.

Here I'll share a snippet from a proposed prospectus
for our Capability Systems Workshop to get some
feedback (very high level for broad appeal):
________
One straight forward approach to solving the computer
security problem hasn't been tried in the modern era.
This approach is that of Principle Of Least Authority
(POLA) computing.  Just as ship builders learned that by
having multiple water tight compartments in their ships
they could keep them from sinking if a compartment was
breached, computer systems can be made resilient to
breaches (e.g. viruses or other forms of "malware") if
they are composed of multiple "water tight" (mutually
suspicious) compartments.
________

I believe the approach of contained failure is rather
widespread in engineering.  Another example is in
civil engineering when structures are built.  Again
they are constructed so that local failures are
isolated and don't bring the whole structure down.

Reactions are of course welcome, as the above is still
very much a draft.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list