[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.

Karp, Alan H alan.karp at hp.com
Sun Dec 20 21:52:17 PST 2009 

Ben Kloosterman wrote:

BK> Disagree that click jacking is limited to browsers. It affects browsers because it's rendered from css and web pages have flexible layout. I  have seen click jacking with forms by using full  transparency. This is a bit of an issue for me as it is very likely that the UI I will be using will be rendered ( prob using Moonlight  from Xaml) , the same rules apply its just a bit more tricky as it the security interacts with the rendering engine.

Clickjacking requires the attacker be able to overlay a powerful UI view rendered transparent over a view of the attacker's choosing.  That means the attacker needs a way to name and display the powerful view.  If displaying that page requires a capability the attacker doesn't have, the attack fails.  Of course, if the attacker has the capability to the page, the attack is unnecessary.

BK> It's the interaction with  ACL systems and how to manage if say you have a Directory Server , A Capability File Server and Older NT File Server (Acl)  , Machines running Windows 7 , Macs and machines running a new Capability OS.  How do you interact the capabilities  ?   I'm not designing a Research system but a practical one.  Windows allows you to add Domain groups to local groups eg you can add Domain Admins to Administrator and Domain Users to Users and all domain users can the login with User or Admin rights. How do you model  that any user in the organization can log in get basic rights from the tree , deploy his allocated applications from the tree and access his files on the server. I seem to always need this user -Group mapping is there a nicer way .. I need to rethink.

I think CapDesk manages to do what you want.  I'd start there.

BK> But VOC from little what I have read of it  still relies on another user.

I don't know what you mean by "another user."  There are many mechanisms to enforce VOC.  For example, the user's capability can point to a proxy for the resource, and the proxy will block "mistakes," i.e., delegations that would violate policy.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20091221/faaa7d66/attachment.html

More information about the cap-talk mailing list