[e-cvs] cvs commit: e/domains/combex/tech darpaBrowser.html edesk.html index.html opportunity.html screen-shots.html
markm@eros.cs.jhu.edu
markm@eros.cs.jhu.edu
Tue, 15 Jan 2002 13:34:42 -0500
markm 02/01/15 13:34:42
Modified: domains/combex/about users.html value-prop.html
domains/combex/contact index.html
domains/combex/tech darpaBrowser.html edesk.html index.html
opportunity.html screen-shots.html
Log:
formatting
Revision Changes Path
1.3 +8 -7 e/domains/combex/about/users.html
Index: users.html
===================================================================
RCS file: /cvs/e/domains/combex/about/users.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- users.html 2002/01/15 18:20:50 1.2
+++ users.html 2002/01/15 18:34:42 1.3
@@ -81,13 +81,14 @@
entered pilot operations.</p>
<p>
<p>Combex has specific knowledge of four small companies and one Fortune
- 500 company using the <b><i>E</i></b> platform at this time. Because of the nature of
- the Web, we are aware that other E-based undertakings have been started
- around the world, though we know little else about them: occasionally
- surprising and interesting questions appear on the e-lang discussion list,
- posted by people of unknown origin, people who have presumably been listening
- to the discussions through redirecting mail lists that listen to elang
- itself.</p>
+ 500 company using the <b><i>E</i></b> platform at this time. Because of
+ the nature of the Web, we are aware that other E-based undertakings have
+ been started around the world, though we know little else about them:
+ occasionally surprising and interesting questions appear on the e-lang
+ discussion list, posted by people of unknown origin, people who have presumably
+ been listening to the discussions through redirecting mail lists that
+ listen to elang itself.</p>
+ <p> </p>
<!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>
1.3 +14 -12 e/domains/combex/about/value-prop.html
Index: value-prop.html
===================================================================
RCS file: /cvs/e/domains/combex/about/value-prop.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- value-prop.html 2002/01/15 18:20:50 1.2
+++ value-prop.html 2002/01/15 18:34:42 1.3
@@ -81,18 +81,20 @@
<p> Lower cost of system maintenance, as requirements placed on the
firewalls become simpler. </p>
</ul>
- Capability security improves reliability in general as well as robustness
- in the face of malicious attack. The reason is simply that, in the absence
- of POLA architectures, applications can clobber one another. An all too
- classic example of this is a true story that happened to one of the Combex
- founders: When installing Microsoft Visual J++ on his Windows system, the
- installation process stomped the PGP plugin for his Outlook Express email
- system. Presumably this happened because the installer overwrote some small
- but critical setting in the Windows Registry, which is globally available
- and globally editable. In a capability secure desktop, there is no such
- globally editable registry. Installation places the configuration settings
- of the individual program into a private space only readable by that single
- application.<!-- #EndEditable --></TD>
+ <p>Capability security improves reliability in general as well as robustness
+ in the face of malicious attack. The reason is simply that, in the absence
+ of POLA architectures, applications can clobber one another. An all too
+ classic example of this is a true story that happened to one of the Combex
+ founders: When installing Microsoft Visual J++ on his Windows system,
+ the installation process stomped the PGP plugin for his Outlook Express
+ email system. Presumably this happened because the installer overwrote
+ some small but critical setting in the Windows Registry, which is globally
+ available and globally editable. In a capability secure desktop, there
+ is no such globally editable registry. Installation places the configuration
+ settings of the individual program into a private space only readable
+ by that single application.</p>
+ <p> </p>
+ <!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>
<tr valign="TOP" bgcolor="#0000FF">
1.2 +3 -2 e/domains/combex/contact/index.html
Index: index.html
===================================================================
RCS file: /cvs/e/domains/combex/contact/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html 2002/01/15 18:08:24 1.1
+++ index.html 2002/01/15 18:34:42 1.2
@@ -66,8 +66,9 @@
contact <a href="mailto:support@erights.org">support@erights.org</a> or
<a href="https://bugs.sieve.net/bugs/?func=addbug&group_id=16380">submit
a bug report</a>.
- <p>For technical support on <i><b>CapDesk</b></i> or the <i><b>Darpa
- Browser</b></i>, <br>
+ <p>For technical support on <i><b><a href="../tech/edesk.html">CapDesk</a></b></i>
+ or the <i><b><a href="../tech/darpaBrowser.html">Darpa Browser</a></b></i>,
+ <br>
contact <a href="mailto:support@combex.com">support@combex.com</a>.
<p>
<!-- #EndEditable --></TD>
1.3 +211 -177 e/domains/combex/tech/darpaBrowser.html
Index: darpaBrowser.html
===================================================================
RCS file: /cvs/e/domains/combex/tech/darpaBrowser.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- darpaBrowser.html 2002/01/15 18:20:50 1.2
+++ darpaBrowser.html 2002/01/15 18:34:42 1.3
@@ -50,32 +50,38 @@
<TR VALIGN="TOP">
<TD WIDTH="10%"> </TD>
<TD><!-- #BeginEditable "LongBody" -->
+ <p> </p>
+ <p align="center"><i>This is the document accepted by Darpa, and is presented
+ as is for historical interest.<br>
+ Current terminology and screen shots have changed since then.</i></p>
<h1>Executive Summary </h1>
- <p>Using the capability-secure open-source <b><i>E</i></b> programming language, and the
- Combex-proprietary Capability Windowing Toolkit (capWT), Combex will develop
- a capability secure Web browser: the HTML rendering engine for the browser
- will be capability confined [<a href="#Lampson1973">Lampson1973</a>, <a href="#Lampson1973">Shap2000</a>]
- so that it may not compromise any part of the system, not even the field
- in the browser which displays the URL.
- <p>The browser will be run on an "E Language Machine". The <b><i>E</i></b> Language
- Machine is a capability secure, trustworthy platform, built on a Sanitized
- Linux: a Linux from which everything has been stripped that is not needed
- to support the <b><i>E</i></b> Language Machine. In particular, all the services normally
- associated with Linux (terminal services, network services above the TCP/IP
- stack, etc.) will be removed, eliminating risk of compromise. The <b><i>E</i></b> Language
- Machine will be a fully functional computing system, but, besides the
- TCB, only programs written in <b><i>E</i></b> and confined as caplets (capability-secured
- applications) will be permitted to execute.
+ <p>Using the capability-secure open-source <b><i>E</i></b> programming language,
+ and the Combex-proprietary Capability Windowing Toolkit (capWT), Combex
+ will develop a capability secure Web browser: the HTML rendering engine
+ for the browser will be capability confined [<a href="#Lampson1973">Lampson1973</a>,
+ <a href="#Lampson1973">Shap2000</a>] so that it may not compromise any
+ part of the system, not even the field in the browser which displays the
+ URL.
+ <p>The browser will be run on an "E Language Machine". The <b><i>E</i></b>
+ Language Machine is a capability secure, trustworthy platform, built on
+ a Sanitized Linux: a Linux from which everything has been stripped that
+ is not needed to support the <b><i>E</i></b> Language Machine. In particular,
+ all the services normally associated with Linux (terminal services, network
+ services above the TCP/IP stack, etc.) will be removed, eliminating risk
+ of compromise. The <b><i>E</i></b> Language Machine will be a fully functional
+ computing system, but, besides the TCB, only programs written in <b><i>E</i></b>
+ and confined as caplets (capability-secured applications) will be permitted
+ to execute.
<p>Combex will supply 2 rendering engines. A Benign Renderer will underpin
the web browser for traditional browsing purposes. A Malicious Renderer
will, when loaded, relentlessly attempt to escape from its capability
confinement, reporting on its results as it makes attacks.
- <p>Combex was founded by, and is led by, the core developers of the <b><i>E</i></b> language
- system and the publicly available applications written in that language.
- Bringing the powers of E, E's developers, and the Capability Windowing
- Toolkit together in a single focused effort on this contract allows Combex
- to deliver a reliable, robust capability secure system at high speed and
- with essentially no risk.
+ <p>Combex was founded by, and is led by, the core developers of the <b><i>E</i></b>
+ language system and the publicly available applications written in that
+ language. Bringing the powers of E, E's developers, and the Capability
+ Windowing Toolkit together in a single focused effort on this contract
+ allows Combex to deliver a reliable, robust capability secure system at
+ high speed and with essentially no risk.
<h1>Statement of Work</h1>
<p><b>Objective: </b>Provide a brief overview of the specialty area and
what is to be accomplished
@@ -99,8 +105,8 @@
by malicious code) cannot compromise any other aspect of the computer
or the display, up to and including the presentation of the URL from which
the page was fetched.
- <p><b>Scope:</b> Provide a statement of what the SOW covers including
- the area to be investigated, objectives/goals, and major milestones.
+ <p><b>Scope:</b> Provide a statement of what the SOW covers including the
+ area to be investigated, objectives/goals, and major milestones.
<p>
<p>This project will investigate the application of capability security
to a client application problem of moderate complexity, namely, the confinement
@@ -111,21 +117,24 @@
diverse computing requirements. The major milestones include:
<p>
<ul>
- <li>4 Month Milestone: Combex will deliver a demo of a preliminary capBrowseFrame
- running with the Benign Renderer and an early prototype of the Malicious
- Renderer. This demo will not include the Sanitized Linux.
- <li>8 Month Milestone: Combex will demonstrate a preliminary version of
- the entire <b><i>E</i></b> Language Machine running capBrowseFrame and both renderers.
- This system will not yet have been reviewed by our outside consultants,
- and will not have been fully tested.
+ <li>
+ <p>4 Month Milestone: Combex will deliver a demo of a preliminary capBrowseFrame
+ running with the Benign Renderer and an early prototype of the Malicious
+ Renderer. This demo will not include the Sanitized Linux. </p>
+ <li>
+ <p>8 Month Milestone: Combex will demonstrate a preliminary version
+ of the entire <b><i>E</i></b> Language Machine running capBrowseFrame
+ and both renderers. This system will not yet have been reviewed by
+ our outside consultants, and will not have been fully tested. </p>
<li>
<p>12 Month Milestone, Contract Completion: Combex will deliver all
the items specified in the Deliverables section earlier in this document.
+ </p>
</ul>
- <p><b>Task/Technical Requirements:</b> Provide a description of tasks,
- which represent the work to be performed, developed in an orderly
- progression and in enough detail to establish the feasibility of accomplishing
- the overall program goals.
+ <p><b>Task/Technical Requirements:</b> Provide a description of tasks, which
+ represent the work to be performed, developed in an orderly progression
+ and in enough detail to establish the feasibility of accomplishing the
+ overall program goals.
<ul>
<li>
<p>Develop the capBrowseFrame, based on capWT, which drives the browser
@@ -134,7 +143,8 @@
<p> Develop the Benign Renderer and the basic Malicious Renderer plug-ins
for capBrowseFrame
<li>
- <p> Develop the Sanitized Linux that underpins the <b><i>E</i></b> Language Machine
+ <p> Develop the Sanitized Linux that underpins the <b><i>E</i></b> Language
+ Machine
<li>
<p> Integrate Sanitized Linux, the Java Runtime Environment, and the
<b><i>E</i></b> Interpreter, into the <b><i>E</i></b> Language Machine
@@ -146,49 +156,56 @@
<li>
<p> Make final delivery
</ul>
- <p><b>Deliverables: </b>
+ <p><b>Deliverables: </b>
<ul>
- <li>Monthly status report
- <li>Report describing the architecture of the system, analysis made by
- the outside security reviewers and their attempts at breaching the system.
- The report shall also describe and analyze the potential alternative
- technologies for <i>Capability based Clients</i> including both innovations
- explored and alternatives to explored innovations, discussion of their
- features, and justification for the design choices made by the research
- team, as specified by ATIAS.
- <li> Full source code and binaries for the Sanitized Linux OS, the <b><i>E</i></b> Language
- Virtual Machine and Interpreter, capWT, capBrowseFrame, the Benign Renderer
- and the Malicious Renderer. We explicitly note that the sources for
- the Java Runtime Environment will <i>not</i> be included due to uncertainties
- about issues with its Community License. These sources are readily available
- from other places.
- <li> License to use capWT: As a part of this contract, Combex will open-source
- capWT under the Mozilla license. We believe this will accelerate development
- of capability systems throughout the industry, and particularly in further
- work on capability secure military systems.
- <li> One complete computer that, upon boot-up, becomes a capability-secure
- <b><i>E</i></b> Language Machine and runs Edesk, the <b><i>E</i></b> software development environment
- Ebrowser, and the capBrowseFrame with both the Benign Renderer and the
- Malicious Renderer plug-ins.
- <li> Installation manual for turning additional computers into <b><i>E</i></b> Language
- Machines.
+ <li>
+ <p>Monthly status report </p>
+ <li>
+ <p>Report describing the architecture of the system, analysis made by
+ the outside security reviewers and their attempts at breaching the
+ system. The report shall also describe and analyze the potential alternative
+ technologies for <i>Capability based Clients</i> including both innovations
+ explored and alternatives to explored innovations, discussion of their
+ features, and justification for the design choices made by the research
+ team, as specified by ATIAS. </p>
+ <li>
+ <p> Full source code and binaries for the Sanitized Linux OS, the <b><i>E</i></b>
+ Language Virtual Machine and Interpreter, capWT, capBrowseFrame, the
+ Benign Renderer and the Malicious Renderer. We explicitly note that
+ the sources for the Java Runtime Environment will <i>not</i> be included
+ due to uncertainties about issues with its Community License. These
+ sources are readily available from other places. </p>
+ <li>
+ <p> License to use capWT: As a part of this contract, Combex will open-source
+ capWT under the Mozilla license. We believe this will accelerate development
+ of capability systems throughout the industry, and particularly in
+ further work on capability secure military systems. </p>
+ <li>
+ <p> One complete computer that, upon boot-up, becomes a capability-secure
+ <b><i>E</i></b> Language Machine and runs Edesk, the <b><i>E</i></b>
+ software development environment Ebrowser, and the capBrowseFrame
+ with both the Benign Renderer and the Malicious Renderer plug-ins.
+ </p>
+ <li>
+ <p> Installation manual for turning additional computers into <b><i>E</i></b>
+ Language Machines. </p>
</ul>
<h1>Technical Approach and Relevant Capabilities</h1>
<h3>Combex and its Relevant Technologies</h3>
<p>Combex was founded in 1999,to pursue opportunities for capability security
in the financial and software development sectors. Combex is the home
of the world's greatest repository of expertise on the capability-secure,
- open-source <b><i>E</i></b> Programming Language. The Chief Technology Officer (CTO)
- of Combex is Mark Miller, the chief architect and implementor of E, and
- the central coordinator of open source <b><i>E</i></b> project. The Chief Operating
- Officer (COO) of Combex is Marc Stiegler, the developer of over half of
- all publicly available <b><i>E</i></b> applications deployed in the world today, and
- author of the book (currently in draft form) <b><i>E</i></b> in a Walnut [<a href="#Stiegler2001">Stiegler2001</a>].
- In addition, Mr. Stiegler is the chief architect for the Capability Windowing
- Toolkit (capWT), a proprietary Combex technology for imposing capability
- discipline on mutually suspicious application subsystems that must share
- screen and keyboard/mouse resources in a graphical user interface (gui)
- environment.
+ open-source <b><i>E</i></b> Programming Language. The Chief Technology
+ Officer (CTO) of Combex is Mark Miller, the chief architect and implementor
+ of E, and the central coordinator of open source <b><i>E</i></b> project.
+ The Chief Operating Officer (COO) of Combex is Marc Stiegler, the developer
+ of over half of all publicly available <b><i>E</i></b> applications deployed
+ in the world today, and author of the book (currently in draft form) <b><i>E</i></b>
+ in a Walnut [<a href="#Stiegler2001">Stiegler2001</a>]. In addition, Mr.
+ Stiegler is the chief architect for the Capability Windowing Toolkit (capWT),
+ a proprietary Combex technology for imposing capability discipline on
+ mutually suspicious application subsystems that must share screen and
+ keyboard/mouse resources in a graphical user interface (gui) environment.
<p>E itself is the result of over $10M of research and development over
a seven year period; its development was first initiated by the company
Communities.com for the implementation of a capability secure decentralized
@@ -200,23 +217,23 @@
Virtual Machine (jvm), versions 1.3 and above. The language not only implements
capability security within single-computer applications, it applies capability
security to distributed systems with strong encryption that is built into
- the infrastructure: <b><i>E</i></b> programmers are not burdened with security considerations
- for their distributed systems, all communication is automatically encrypted,
- and remote computation objects are automatically authenticated. In addition,
- <b><i>E</i></b> uses a promise-based architecture for distributed computation, eschewing
- threads for concurrency control. This eliminates the traditional Sword
- of Damocles that hangs over all thread-based programming, the threat of
- deadlock. A particular feature of <b><i>E</i></b> critical to the success of this project
- is the power to implement <i>caplets</i>, software applications that are
- confined by capability discipline even if they share cpu, disk, and memory
- resources.
- <p>A more complete description of the specific characteristics of <b><i>E</i></b> that
- make it a "capability secure language" can be found in the References.
- Further reading on E's other special and powerful characteristics can
- also be found in the References at the end of this proposal.
- <p>Though <b><i>E</i></b> is missing several features needed for a version 1.0 release,
- all implemented features have been proven robust through a series of actual
- application development efforts including:
+ the infrastructure: <b><i>E</i></b> programmers are not burdened with
+ security considerations for their distributed systems, all communication
+ is automatically encrypted, and remote computation objects are automatically
+ authenticated. In addition, <b><i>E</i></b> uses a promise-based architecture
+ for distributed computation, eschewing threads for concurrency control.
+ This eliminates the traditional Sword of Damocles that hangs over all
+ thread-based programming, the threat of deadlock. A particular feature
+ of <b><i>E</i></b> critical to the success of this project is the power
+ to implement <i>caplets</i>, software applications that are confined by
+ capability discipline even if they share cpu, disk, and memory resources.
+ <p>A more complete description of the specific characteristics of <b><i>E</i></b>
+ that make it a "capability secure language" can be found in
+ the References. Further reading on E's other special and powerful characteristics
+ can also be found in the References at the end of this proposal.
+ <p>Though <b><i>E</i></b> is missing several features needed for a version
+ 1.0 release, all implemented features have been proven robust through
+ a series of actual application development efforts including:
<p align=CENTER> <img src="../edesk/images/3desk.gif" name="Graphic1" align=BOTTOM width=822 height=598 border=0>
<p align=CENTER> <b>Figure 1: Securit-Edesk with windows on Windows, Sun,
and Linux file systems</b>
@@ -231,11 +248,12 @@
protocol) and secure connections (as you would get through an SSH connection).
This tool is used on a daily basis in several projects for Fortune 500
companies. A small sample can be seen in Figure 1.
- <li> <b><i>E</i></b> Web Server: A small web server that can recognize browser requests
- for URLs which represent <b><i>E</i></b> services on a distributed network. Requests
- for these URLs are forwarded to the specified service for fulfillment.
- The <b><i>E</i></b> Web Server supplies for <b><i>E</i></b> programs a functionality akin to that
- supplied by the Sun Java Web Server for Java servlets, though the <b><i>E</i></b>
+ <li> <b><i>E</i></b> Web Server: A small web server that can recognize
+ browser requests for URLs which represent <b><i>E</i></b> services on
+ a distributed network. Requests for these URLs are forwarded to the
+ specified service for fulfillment. The <b><i>E</i></b> Web Server supplies
+ for <b><i>E</i></b> programs a functionality akin to that supplied by
+ the Sun Java Web Server for Java servlets, though the <b><i>E</i></b>
Web Server directly and inherently supports capability secure distributed
backend functionality.
<li> Combex Marketplace: A capability secures exchange for fungible goods
@@ -247,7 +265,8 @@
<li> Enterprise-Wide Secure Application Prototype: A prototype for a proprietary
Enterprise-wide secure distributed system for a Fortune 500 company.
Work on a limited-deployment version for this system is about to begin,
- and the developers plan to use <b><i>E</i></b> technologies for this version as well.
+ and the developers plan to use <b><i>E</i></b> technologies for this
+ version as well.
</ul>
<p>The capWT windowing toolkit is an abstraction layer built on top of the
Java AWT/SWING foundation classes for capability secure gui support. Since
@@ -264,56 +283,67 @@
<h3>Technical Approach</h3>
<p>The basic strategy of development will be to build up an "E Language
Machine" from a "sanitized" Linux OS. This machine will
- be able to run <b><i>E</i></b> programs and caplets. It will be a general-purpose computer
- in the normal sense of the word, having the full Turing-machine power
- enabled by the <b><i>E</i></b> language. But it will be safe from the inadvertent launch
- of other Linux applications and services that could compromise the system
- by striking from "below" the <b><i>E</i></b> level.
+ be able to run <b><i>E</i></b> programs and caplets. It will be a general-purpose
+ computer in the normal sense of the word, having the full Turing-machine
+ power enabled by the <b><i>E</i></b> language. But it will be safe from
+ the inadvertent launch of other Linux applications and services that could
+ compromise the system by striking from "below" the <b><i>E</i></b>
+ level.
<p align=CENTER><img src="../edesk/images/browser-arch.gif" name="Graphic2" align=BOTTOM width=608 height=530 border=0>
- <p align=CENTER> <b>Figure 2: <b><i>E</i></b> Language Machine with Capability secure
- Client</b>
+ <p align=CENTER> <b>Figure 2: <b><i>E</i></b> Language Machine with Capability
+ secure Client</b>
<p>This technical approach is depicted in Figure 1. Starting at the bottom
and working to the top, the components of the system are:
<ul>
- <li>Sanitized Linux OS: This is a minimal Linux that includes a process
- scheduler, a file system, a TCP/IP stack and an Xwindows gui framework
- but little else. There will be no xterm, or indeed any terminal of any
- kind, for example. It will be built using one of several commercially
- available tools for creating custom Linux OS's for embedded applications.
- <li>Java Virtual Machine: When the sanitized Linux boots, it will launch
- one Java Virtual Machine. This will be the first and last application
- the OS ever launches.
- <li> <b><i>E</i></b> Language Interpreter: The Java Virtual Machine will, in turn, launch
- an <b><i>E</i></b> interpreter. And that will be the last application the JVM ever
- launches.
- <li> Edesk: Edesk will supply a point-and-click interface to the file
- system and other system resources. Edesk will be able to launch multiple
- <b><i>E</i></b> applications and caplets.
- <li>capWT: capWT, as described earlier, is an abstraction layer that supplies
- securable gui tools to caplets.
- <li>capBrowseFrame: capBrowseFrame is a caplet that receives the basic
- screen/keyboard capabilities from capWT, and also receives a Web-browser-specific
- capability to access Web pages using URLs. capBrowseFrame supports "plug-in"
- HTML rendering engines; the capabilities conferred on the rendering
- engine are narrowly constrained, sufficient for the renderer to fulfill
- its function, but not sufficient for any other purpose: capBrowseFrame
- will impose the Principle of Least Authority upon the renderer with
- a vengeance. capBrowseFrame controls the field in which the URL is displayed,
- and also controls actual access to actual Web pages, ensuring that the
- URL is always correct and accurate. If a Web page is requested, either
- by the user or the renderer, which does not exist, the capBrowseFrame
- will display a message explaining why the URL cannot be accurately displayed.
- <li>Benign Renderer: This is a plug-in for capBrowseFrame that renders
- Web pages according to the HTML specification. It will be based on the
- Java Swing HTML-rendering widget, and will supply all the base functionality
- of that widget.
- <li> Malicious Renderer: This is a plug-in for capBrowseFrame that does
- not bother to render HTML, but rather spends all its time attempting
- to penetrate the capability discipline within which it is has been confined.
- It will report on its progress as it attempts to read files, write files,
- alter the screen outside its assigned window panel (including attempts
- to alter the field displaying the URL), and communicate with the outside
- world.
+ <li>
+ <p>Sanitized Linux OS: This is a minimal Linux that includes a process
+ scheduler, a file system, a TCP/IP stack and an Xwindows gui framework
+ but little else. There will be no xterm, or indeed any terminal of
+ any kind, for example. It will be built using one of several commercially
+ available tools for creating custom Linux OS's for embedded applications.
+ </p>
+ <li>
+ <p>Java Virtual Machine: When the sanitized Linux boots, it will launch
+ one Java Virtual Machine. This will be the first and last application
+ the OS ever launches. </p>
+ <li>
+ <p><b><i>E</i></b> Language Interpreter: The Java Virtual Machine will,
+ in turn, launch an <b><i>E</i></b> interpreter. And that will be the
+ last application the JVM ever launches. </p>
+ <li>
+ <p> Edesk: Edesk will supply a point-and-click interface to the file
+ system and other system resources. Edesk will be able to launch multiple
+ <b><i>E</i></b> applications and caplets. </p>
+ <li>
+ <p>capWT: capWT, as described earlier, is an abstraction layer that
+ supplies securable gui tools to caplets. </p>
+ <li>
+ <p>capBrowseFrame: capBrowseFrame is a caplet that receives the basic
+ screen/keyboard capabilities from capWT, and also receives a Web-browser-specific
+ capability to access Web pages using URLs. capBrowseFrame supports
+ "plug-in" HTML rendering engines; the capabilities conferred
+ on the rendering engine are narrowly constrained, sufficient for the
+ renderer to fulfill its function, but not sufficient for any other
+ purpose: capBrowseFrame will impose the Principle of Least Authority
+ upon the renderer with a vengeance. capBrowseFrame controls the field
+ in which the URL is displayed, and also controls actual access to
+ actual Web pages, ensuring that the URL is always correct and accurate.
+ If a Web page is requested, either by the user or the renderer, which
+ does not exist, the capBrowseFrame will display a message explaining
+ why the URL cannot be accurately displayed. </p>
+ <li>
+ <p>Benign Renderer: This is a plug-in for capBrowseFrame that renders
+ Web pages according to the HTML specification. It will be based on
+ the Java Swing HTML-rendering widget, and will supply all the base
+ functionality of that widget. </p>
+ <li>
+ <p> Malicious Renderer: This is a plug-in for capBrowseFrame that does
+ not bother to render HTML, but rather spends all its time attempting
+ to penetrate the capability discipline within which it is has been
+ confined. It will report on its progress as it attempts to read files,
+ write files, alter the screen outside its assigned window panel (including
+ attempts to alter the field displaying the URL), and communicate with
+ the outside world. </p>
</ul>
<p>We believe that the Sanitized Linux, operating within the constraints
outlined above, achieves the goal of creating a trustworthy boot process
@@ -328,15 +358,18 @@
any attempts at malicious behavior will require the use of these capabilities
alone.
<ul>
- <li>Drawing Control over a single Graphical Panel: The renderer can draw
- anything it likes inside the authorized panel.
- <li>Read Authority for keyboard/mouse events within the panel: The renderer
- can receive notification of user input events, if and only if those
- events are directed to the panel the renderer controls.
- <li>Authority to request from capBrowseFrame the data from an URL embedded
- in the current page. The renderer must designate for capBrowseFrame
- the location in the current page where this URL is described as a link
- target.
+ <li>
+ <p>Drawing Control over a single Graphical Panel: The renderer can draw
+ anything it likes inside the authorized panel. </p>
+ <li>
+ <p>Read Authority for keyboard/mouse events within the panel: The renderer
+ can receive notification of user input events, if and only if those
+ events are directed to the panel the renderer controls. </p>
+ <li>
+ <p>Authority to request from capBrowseFrame the data from an URL embedded
+ in the current page. The renderer must designate for capBrowseFrame
+ the location in the current page where this URL is described as a
+ link target. </p>
</ul>
<p>Implicit authority conveyed to the renderer are the authority to allocate
RAM (create objects), consume CPU time (do computations), and deallocate
@@ -351,7 +384,7 @@
user's entire screen. We believe these properties cover all the security
requirements stipulated in the FRT. Nonetheless; here is a sample of more
complex attacks and their consequences.
- <div align="center">
+ <div align="center">
<table width=590 border=1 cellpadding=1 cellspacing=0>
<col width=292> <col width=292>
<tr valign=TOP>
@@ -407,13 +440,13 @@
<td width=292>
<p>All known practical security systems are subject to such covert
channel “wall banging” attacks, and the best limitation
- normally attempted is to limit its bandwidth. <b><i>E</i></b> addresses instead
- the other half of the problem, where a true solution is indeed
- possible. For the conspiring caplet to read bits from a covert
- channel (to “wall listen”), it must have access to a
- clock or some source of non-determinism. The web browsing caplet
- described here cannot wall-listen because it does not have such
- access.
+ normally attempted is to limit its bandwidth. <b><i>E</i></b>
+ addresses instead the other half of the problem, where a true
+ solution is indeed possible. For the conspiring caplet to read
+ bits from a covert channel (to “wall listen”), it must
+ have access to a clock or some source of non-determinism. The
+ web browsing caplet described here cannot wall-listen because
+ it does not have such access.
</td>
</tr>
</table>
@@ -451,7 +484,6 @@
in the long-term would be to use the ENative runtime environment, currently
in a nascent stage of development, designed to be deployed with capability
operating systems such as EROS.�
-
<h3>Key personnel </h3>
<p>
<p><b>Mark Miller</b>, the CTO of Combex, will be one of the two Lead Investigators
@@ -461,20 +493,20 @@
according to these criteria include <i>Vulcan</i> for Xerox PARC, <i>Trusty
Scheme</i> for AutoDesk, <i>Joule</i> for Agorics, <i>Tclio/WebMart</i>
for Sun Labs. As noted earlier, Mr. Miller is now the chief architect
- of <b><i>E</i></b> and the central coordinator of the open source <b><i>E</i></b> project. In this
- role he not only manages source code, and design and implementation of
- future versions of E, he also works to prepare the world for capability
- security in general. Mr. Miller instigated the <b><i>E</i></b> Language Discussion group
- (<a href="mailto:e-lang@eros-os.org">e-lang@eros-os.org</a>). This email
- list supports some of the most invigorating discussions of security taking
- place today, with regular participation by people such as Hal Finney,
- Jonathan Shapiro, Ben Laurie, and David Wagner. Recently Mr. Miller created
- CapIDL, an interface definition language for integrating capability secure
- languages with capability secure operating systems, another milestone
- on the path to a unified, secure future. Mr. Miller is the inventor on
- six patents in the areas of cryptographic protocols, automated combination
- auctions, and distributed secure object systems. He has three more patents
- pending.
+ of <b><i>E</i></b> and the central coordinator of the open source <b><i>E</i></b>
+ project. In this role he not only manages source code, and design and
+ implementation of future versions of E, he also works to prepare the world
+ for capability security in general. Mr. Miller instigated the <b><i>E</i></b>
+ Language Discussion group (<a href="mailto:e-lang@eros-os.org">e-lang@eros-os.org</a>).
+ This email list supports some of the most invigorating discussions of
+ security taking place today, with regular participation by people such
+ as Hal Finney, Jonathan Shapiro, Ben Laurie, and David Wagner. Recently
+ Mr. Miller created CapIDL, an interface definition language for integrating
+ capability secure languages with capability secure operating systems,
+ another milestone on the path to a unified, secure future. Mr. Miller
+ is the inventor on six patents in the areas of cryptographic protocols,
+ automated combination auctions, and distributed secure object systems.
+ He has three more patents pending.
<p>Prior to taking on the central role for E, Mr. Miller was a lead architect
for the EC-Habitats capability-secure decentralized social virtual reality
under development at Communities.com Communities.com. During the Beta
@@ -489,8 +521,8 @@
the heretofore disjoint research tracks of object-oriented programming,
capability security, and public key cryptography into a coherent whole.
<p><b>Marc Stiegler</b>, the COO of Combex, will be the other Lead Investigator
- on the contract. As noted earlier, Mr. Stiegler is the author of <b><i>E</i></b> in
- a Walnut, and chief architect and developer of capWT. Prior to joining
+ on the contract. As noted earlier, Mr. Stiegler is the author of <b><i>E</i></b>
+ in a Walnut, and chief architect and developer of capWT. Prior to joining
Combex, Mr. Stiegler was VP of Engineering for Communities.com, where
he took on the task of transforming a software development organization
that had spent 3 years and $10M without developing either a product or
@@ -522,9 +554,10 @@
application in the White House for communication, and in the Bureau of
Land Management for fighting forest fires. A descendant of the DCCS system
was used with great success in Desert Storm.
- <p>In addition to <b><i>E</i></b> in a Walnut, Mr. Stiegler was also the lead author of
- Programming Languages: Featuring the IBM PC and Compatibles, which was
- chosen by Byte Magazine in 1986 as one of 20 key books on the PC.
+ <p>In addition to <b><i>E</i></b> in a Walnut, Mr. Stiegler was also the
+ lead author of Programming Languages: Featuring the IBM PC and Compatibles,
+ which was chosen by Byte Magazine in 1986 as one of 20 key books on the
+ PC.
<h1> <a name="refs"></a>References</h1>
<p></p>
<p><a name="AEGIS"></a>[AEGIS] AEGIS <b>Secure boot system</b>: <a href="http://www.cs.umd.edu/~waa/aegis.html">http://www.cs.umd.edu/~waa/aegis.html</a>
@@ -545,6 +578,7 @@
Symposium on Security and Privacy. <a href="http://www.eros-os.org/papers/oakland2000.ps">http://www.eros-os.org/papers/oakland2000.ps</a>
<p> <a name="Stiegler2001"></a>[Stiegler2001] Marc Stiegler, “<b>E
in a Walnut</b>,” Draft: <a href="http://www.skyhunter.com/marcs/ewalnut.html">http://www.skyhunter.com/marcs/ewalnut.html</a>
+ <p>
<!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>
1.3 +7 -10 e/domains/combex/tech/edesk.html
Index: edesk.html
===================================================================
RCS file: /cvs/e/domains/combex/tech/edesk.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- edesk.html 2002/01/15 18:20:50 1.2
+++ edesk.html 2002/01/15 18:34:42 1.3
@@ -50,11 +50,12 @@
<TR VALIGN="TOP">
<TD WIDTH="10%"> </TD>
<TD><!-- #BeginEditable "LongBody" -->
- <p>The <b><i>E</i></b> platform uses <i>capability-based</i> security, which is a software
- architecture for achieving the Principle of Least Authority (POLA) in
- computer systems. POLA is a simple and timeless principle: never grant
- anyone or anything more authority than they require. This principle is
- referred to as “Need to Know” in classified information venues,
+ <p> </p>
+ <p>The <b><i>E</i></b> platform uses <i>capability-based</i> security, which
+ is a software architecture for achieving the Principle of Least Authority
+ (POLA) in computer systems. POLA is a simple and timeless principle: never
+ grant anyone or anything more authority than they require. This principle
+ is referred to as “Need to Know” in classified information venues,
and is known as the “valet key” when applied to standard automobiles:
the valet key giving the valet only the authority required to drive the
car, not the unneeded additional authority to open the trunk. This principle
@@ -128,11 +129,7 @@
languages such as Java and Python, within the domain of secure distributed
applications.</p>
<p>
- <p>More information about the <b><i>E</i></b> platform can be found </p>
- <p align="center">in <a href="http://www.skyhunter.com/marcs/ewalnut.html%20"><img src="../papers/images/ewalnut-yellow.gif" width="118" height="120" border="0" align="absmiddle">E
- in a Walnut</a> and at <a href="http://www.erights.org/">The
- <img src="../images/e-lambda.gif" width="32" height="32" border="0" align="absmiddle">
- Project</a></p>
+ <p> </p>
<!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>
1.2 +10 -3 e/domains/combex/tech/index.html
Index: index.html
===================================================================
RCS file: /cvs/e/domains/combex/tech/index.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- index.html 2002/01/15 18:08:25 1.1
+++ index.html 2002/01/15 18:34:42 1.2
@@ -51,12 +51,19 @@
<TR VALIGN="TOP">
<TD WIDTH="10%"> </TD>
<TD><!-- #BeginEditable "LongBody" -->
- <p align="left"><a href="screen-shots.html">Screen Shots</a>
+ <p align="left">
<p align="left"><a href="opportunity.html">The Opportunity for a Virus-Invulnerable
Desktop</a>
- <p align="left"><a href="edesk.html">CapDesk: The Combex Desktop Architecture</a>
+ <p align="left"><a href="edesk.html">CapDesk: The Combex Desktop Architecture</a>
+ <p align="left">
+ <p align="left"><a href="darpaBrowser.html">The Darpa Browser</a>
+ <p align="left"><a href="screen-shots.html">Screen Shots</a>
+ <p>More information about the <b><i>E</i></b> platform can be found </p>
+ <p align="center">in <a href="http://www.skyhunter.com/marcs/ewalnut.html%20"><img src="../papers/images/ewalnut-yellow.gif" width="118" height="120" border="0" align="absmiddle">E
+ in a Walnut</a> and at <a href="http://www.erights.org/">The
+ <img src="../images/e-lambda.gif" width="32" height="32" border="0" align="absmiddle">
+ Project</a></p>
<p align="left">
- <p align="left"><a href="darpaBrowser.html">The Darpa Browser</a>
<!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>
1.3 +1 -0 e/domains/combex/tech/opportunity.html
Index: opportunity.html
===================================================================
RCS file: /cvs/e/domains/combex/tech/opportunity.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- opportunity.html 2002/01/15 18:20:50 1.2
+++ opportunity.html 2002/01/15 18:34:42 1.3
@@ -50,6 +50,7 @@
<TR VALIGN="TOP">
<TD WIDTH="10%"> </TD>
<TD><!-- #BeginEditable "LongBody" -->
+ <p> </p>
<h2>The Opportunity for a Virus-Invulnerable Desktop</h2>
<p>In the world of today, hardly a week goes by without new reminders of
the vulnerability of our computing systems. At the time of this writing,
1.3 +9 -7 e/domains/combex/tech/screen-shots.html
Index: screen-shots.html
===================================================================
RCS file: /cvs/e/domains/combex/tech/screen-shots.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- screen-shots.html 2002/01/15 18:20:50 1.2
+++ screen-shots.html 2002/01/15 18:34:42 1.3
@@ -51,7 +51,8 @@
<TD WIDTH="10%"> </TD>
<TD><!-- #BeginEditable "LongBody" -->
<p align="center">
- <p align="center"><img src="../edesk/images/browserSideBySide.gif" name="Graphic1" align=BOTTOM width=872 height=831 border=0></p>
+ <p> </p>
+ <p align="center"><img src="images/browserSideBySide.gif" name="Graphic1" align=BOTTOM width=872 height=831 border=0></p>
<p>
<p><i>Side-by-Side comparison of a malicious Web Browser running under CapDesk
capability confinement (left), versus the same Browser running with standard
@@ -79,12 +80,13 @@
<p>
<hr>
<p align="center"> <img src="../edesk/images/browser-caplet.gif" name="Graphic4" align=BOTTOM width=800 height=600 border=0>
- <p><i>CapDesk running a Web Browser that has launched an <b><i>E</i></b> caplet. Caplets
- deliver on the promise first made by Java applets: flexible powerful applications
- downloaded over the Web that can be run safely on the local machine while
- still being centrally maintained. Note the Save button on the Caplet,
- which is impossible on a Java Applet because of the restrictions imposed
- by the Java Sandbox</i>
+ <p><i>CapDesk running a Web Browser that has launched an <b><i>E</i></b>
+ caplet. Caplets deliver on the promise first made by Java applets: flexible
+ powerful applications downloaded over the Web that can be run safely on
+ the local machine while still being centrally maintained. Note the Save
+ button on the Caplet, which is impossible on a Java Applet because of
+ the restrictions imposed by the Java Sandbox</i>
+ <p>
<!-- #EndEditable --></TD>
<td width="10%" valign="bottom"> </td>
</TR>