[cap-talk] Cap OS question
Ben Kloosterman
bklooste at gmail.com
Fri Sep 4 19:46:40 PDT 2009
>I'm not sure how you "check whether there is a capability to
>Autoexec.bat before opening it":
>
> Stream stream = new FileStream( @"C:\AUTOEXEC.BAT" );
>
>but depending on the details, you will be vulnerable to a Confused
>Deputy attack. The above is an example of an ambient authority, though
>you could use something like process or context isolation to map a
>private namespaces (ala Plan9 or Plash), in which case the above is no
>longer necessarily ambient.
Yes exactly it can check the list of capabilities which belong to the
process. Not as good but retains backward capability with existing apps.
>
>Still, context isolation can look like black magic to someone inspecting
>the code, so I would avoid it. Something like the above should be:
>
> void Foo(Directory dir) {
> ...
> Stream stream = dir.OpenFileStream("AUTOEXEC.BAT");
> }
>
>This is better OO code, the capabilities are clear and explicit, and
>assuming Directory follows some basic capability rules, there is no way
>for Foo to access anything else in the file system except what's under
>dir; it's effectively sandboxed. There are of course variants on the
>above, but the fundamental principles are the same.
Agree 100% and there will probably a new System.IO but I also need to
maintain compatibility for existing.NET apps.
Regards,
Ben
More information about the cap-talk
mailing list