[cap-talk] Failure isolation (was: Re: images and capability security)
Pierre THIERRY
nowhere.man at levallois.eu.org
Mon Mar 17 19:21:21 EDT 2008
Scribit lists at notatla.org.uk dies 17/03/2008 hora 22:35:
> > In the case of image rendering code, as Toby notes, it only needs
> > the authority to read it's input and to write it's output. [...]
> What about
> - (finite) CPU time
> - (finite) working memory
> - to read any file format descriptions provided on the
> system but outside the program (e.g. /usr/share/image-desc/....)
These kinds of authority, the ones that pretty any program need to work,
are usually omitted in the informal discussions here, except when
dealing with some details, like program installation or the mechanisms
of instantiation.
But note that most of the time, you can safely assume that some of these
authorities are harmless. I wouldn't say that about the CPU and memory
too quickly, but reading files that are supposed to be read-only doesn't
get you much opportunity for a security breach. Of course, there lies
the assumption that those files are read-only, and when they're not,
they provide a nice overt communication channel...
The devil is in the details.
Harmlessly,
Pierre
--
nowhere.man at levallois.eu.org
OpenPGP 0xD9D50D8A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20080318/522d6cd4/attachment.bin
More information about the cap-talk
mailing list