Jonathan S. Shapiro wrote:
> [Please note that I have moved this discussion to cap-talk, since it
> is not really EROS specific. The original problem was to prevent a
> program from leaking sensitive bank information. The second response
> is quoted at the bottom. ]
> > I'm beginning to suspect I should shut up until I'm better acquainted
> > with how EROS does things.
> Actually, this is precisely why you *should* ask these questions. How
> else can the answers end up in the FAQ?
Just remember that you asked for it :-)
> > I'm having problems understanding who "you" is and how "you" "hands"
This is where it gets interesting, I think. How does the authority tie
in with the party we communicate with?
> > things about the place, what a "trusted system intermediary agent" is
> > and how it "checks with you". And so on...
> "You" is actually a program operating on your behalf. It holds a
> capability on your behalf, and can either transmit it or not transmit
> The sorts of leaks you are concerned about can occur only when an
> untrusted program holds (simulaneously or in sequence) a capability
> conveying access to sensitive data and also a capability conveying
> authority to communicate with an unauthorized party.
This is where it gets interesting, I think. How does the authority tie in with the party we communicate with?
> The source of the confusion may lie in a POSIX assumption. In a POSIX
> system, any program can make a "socket" call and get their hands on a
> network connection. The right to create a socket is therefore part of
> a program's "intrinsic" authority.
> In a capability-protected system, sockets can only be created if the
> program holds a capability for the networking subsystem. [ Such a
> program would not be considered confined, by the way. ] Further, two
> programs can communicate only if one holds a capability for the other.
> By being careful what capabilities are handed to a program, the
> sequence leading to exposure can be eliminated.
OK, what I still am not getting is how I can decide what capabilities a program has according to who is at the other end of the network connection. This seems vital to me.
> The "trusted agent" I had in mind is an "open file" utility. Instead
> of giving the application access to the file system, give it access to
> a utility that will ask the user where things should be stored, and
> can alert the user that the application may be working with sensitive
Who is the user in this case? How can I alert someone who may be in bed (remembering we are talking about webservers here)?
-- Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org and Technical Director|Email: email@example.com | A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/ London, England. |"Apache: TDG" http://www.ora.com/catalog/apache