[cap-talk] Failure isolation (was: Re: images and capability security)
Pierre THIERRY
nowhere.man at levallois.eu.org
Sat Mar 15 16:39:33 EDT 2008
Scribit Jed Donnelley dies 15/03/2008 hora 11:47:
> >Put the code wherever you like
> seems to me overstated, since the authority a program has seems in so
> many instances to depend on "where" it is.
Isn't it precisely because POLA is not enforced? Kernel code compiled or
interpreted with capability discipline shouldn't be an issue, should it?
Of course, in general it would not be enforcing POLA to execute code in
kernel mode when it's not really necessary, but it could be for
performance or hardware-related reasons.
> One straight forward approach to solving the computer security problem
> hasn't been tried in the modern era. This approach is that of
> Principle Of Least Authority (POLA) computing. Just as ship builders
> learned that by having multiple water tight compartments in their
> ships they could keep them from sinking if a compartment was breached,
> computer systems can be made resilient to breaches (e.g. viruses or
> other forms of "malware") if they are composed of multiple "water
> tight" (mutually suspicious) compartments.
If it's for a workshop about capabilities, doesn't it lack a mention of
their relation to POLA? Something like:
Capabilities not only are a mean to achieve POLA in a both humanly and
technically manageable way, but they also provide an expressive
framework to reason about POLA formally and informally.
I like your comparison with water tight compartments. It calls for a
graphical comparison...
Quickly,
Pierre
--
nowhere.man at levallois.eu.org
OpenPGP 0xD9D50D8A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20080315/47cb51a5/attachment.bin
More information about the cap-talk
mailing list