[cap-talk] Why arn't safer OS being used. [ was Confessions of a C programmer]

[Ben Kloosterman]

>>> Does any Microsoft product has all the following properties?:
>>> - it (and its components) follow POLA
>>> - it is defensively consistent (or even defensively correct)
>>> - it has tiny TCB
>>> - it has minimal reliance relationship.
>>
>> None;  I don't think any of these are possible while maintaining
>backward
>> compatibility, and their customers have always told them compatibility
>is
>> more important than security.
>
>You are right if you talk about legacy software but there are no excuses
>if you are writing new software. Comparing object-capability security
>model and schemes like this:
>
>@article{1273033,
>author = {Ted Wobber and Aydan Yumerefendi and Mart\'{\i}n Abadi and
>Andrew Birrell and Daniel R. Simon},
>title = {Authorizing applications in singularity},
>journal = {SIGOPS Oper. Syst. Rev.},
>volume = {41},
>number = {3},
>year = {2007},
>issn = {0163-5980},
>pages = {355--368},
>doi = {http://doi.acm.org/10.1145/1272998.1273033},
>publisher = {ACM},
>address = {New York, NY, USA},
>}
>
>I do not believe that Singularity or Midori will be any better than
>Vista, from security point of view.
>
>I am sorry but this strongly reminds a strategy, "ok guys, we do not
>understand how to make robust systems but let us confuse everyone else
>in this matter".

I agree with you on the Security side of Singularity ( we know nothing about
Midori) but they did know about Object Capabilities. This is the same
reaction Capabilities get at security conferences. Honesty if I was design a
mass market OS I would be a bit sceptical on Capabilities as it hasn't been
proven in the mass market and how it will integrate with Windows/Unix in
Networks , Directory trees etc.

Note Midori  I hear is still being built and has been since 2006-2007 , the
fact they hired the Coyotos people hints that they want to change the
security model. I don't think people like Jonathan would have joined if all
this was fixed already. If he can convince them a Capability system would
integrate into existing networks and work well with sysadmins/users than
they may change. Only a few people who really know Capability Systems can
have such confidence which is why other people will go with Hybrids . 

This prob goes back to Why safer OS aren't being used .  Not enough people
know them well enough and all the implications , the earlier systems like
Burrows didn't need to deal with todays Networking of computers , even the
OS400 used ACLs for some of their networking. How many web servers and
browsers have been built on Capability systems , we believe this will all
work but without some real experience it's a big call. 


>> It's not vaporware , it hasn't even been announced ( and doesn't exist
>> according to official sources) and yet it hires people. However it may
>never
>> appear if they decide its bad business for a Windows successor, the
>fact no
>> one is talking to me means there is a significant project. Im pretty
>certain
>> it will appear as a CE replacement and .NET cloud /app server.
>
>By vaporware I mean a marketing strategy:
>
>Dear customers (or developers), wait 5 years (or so) to Midori. Do not
>start developing or using iPhone or Android applications. Spare that for
>Midori.

Obviously since it's not announced that cannot be the case. Remember
knowledge of Midori was accidentally leaked through the signings and a
Research power point file that mentioned it for a OS testing framework
(Chess I believe). 

>This strategy makes sense for Microsoft to follow.

It was in the 80 and early 90s but I don't think MS is the same company now
nor will the market and governments except it. C#/.NET were made Open ,
Singularity was released to the research community , OS are no longer pre
announced , MS research seems to work mostly like research publishing papers
etc there are hundreds of examples. Not saying they are a  Charity they are
still a commercial company. I'm sure MS in the 80s and 90s would not have
done any of these things and we wouldn't even know about Singularity ( until
a Beta Dev API for Midori was ready). In most cases now when a product is
announced Beta tools are already available and they have handed out Early
releases licences. ( As do Google etc) 


>>
>> I don't think it's a case of not knowing ( after all a few Coyotos
>people
>> work there) you can't really personalize such a large firm
>
>I have heard this before. "Do not personalize Microsoft. It is a
>composition of diverse people." This may be true but individual
>programmers are exchangable wheels in the machine. What matters is what
>boss thinks. If boss evaluates new technology in terms how will it help
>to sell more copies of Windows, you do not have to investigate what
>individual wheels think in a similar way like you do not have to
>consider few good philosophers that lived in (e.g.) USSR in the time
>when it invaded and occupied other countries.
>
>Fish smells from the head.

In that sense I don't think there is much difference between any of the
companies these days the senior execs move , Bill and Paul are gone, I think
the guy in Charge of Midori is the guy who wrote Lotus Notes and came from
IBM. Anyway this is getting OT though it is valid to consider whether there
is a business case for Midori and I believe there is. 

>
>> it's a case of
>> maintaining compatibility. You can see from the Sing document you
>mention
>> they understand capabilities yet chose not to use a full object-
>Capability
>> model ( except for a few things like Channels) .
>
>I am sorry, from what I have read I think they do not understand it. The
>reason why they rejected it is not documented.

Yes I don't quite get how Channels are capabilities and references are not ,
the only thing is the initial Channels are not created by the user and
channels are transferred by the owner to the client. For the rest they went
with a conservative (and Complex) ACL scheme. 

Regards,


Ben