[cap-talk] Google Chrome - web browser with sandboxed rendering
James A. Donald
jamesd at echeque.com
Sun Sep 7 20:01:28 CDT 2008
Sandro Magi wrote:
>> It seems clear that as long as address resolution is in a trusted
>> component, then an install-time configuration can endow any application
>> with sockets the user specifies. The user has to specify SMTP,
>> POP3(S)/IMAP(S) servers anyway to set up their accounts, so a standard
>> powerbox interface for such TCP/IP endowments invoked at install-time
>> seems workable to me.
David-Sarah Hopwood wrote:
> Yes, but there's no need to limit this to install-time.
For UI reasons, needs to be limited to install time in the normal use
case. Changing it at other times should be an extraordinary action for
end users, and one not easy to do.
> So it's clearly more consistent with POLA to
> grant access to logged-in sessions, and reserve the ability to
> open an unconstrained socket to a given address/port as a fallback
> for less common protocols.
Trouble is, if you have fallback, the bad guys and the buggy programs
will use it. You have to secure the hard case, not the easy case.
Your sandboxes have to be sealed tight, and the only ways in and out of
the sandbox have to pass through the powerbox user interface pattern.
Yes, it is not easy to create a user friendly environment under that
constraint. But the success of Polaris, Plash, and the like are pretty
good indications that it is merely difficult, not impossible.
More information about the cap-talk
mailing list