From: Ka-Ping Yee (ping@lfw.org)
Date: Tue May 02 2000 - 00:55:40 PDT
Nelson Minar wrote:
> I'm writing to brag - my company has just officially launched,
> http://www.popularpower.com/
On Mon, 1 May 2000, Rohit Khare wrote:
> Note, however, that we are not asking our customers to provide source
> code for their applications. Many of our customers have proprietary
> algorithms or data that they would wish to protect. We protect your
> computer's security by running customer code inside a security
> "sandbox," which is the same way your Web browser protects you from
> malicious code at Web sites you visit.
And what reason do i have to trust this sandbox? If it protects
my computer as well as a "Web browser protects [me] from malicious
code", that's pretty dismal.
The loud and various claims as to the security of Web client
software (be that Java, Javascript, ActiveX, or privacy and
security measures in the browsers themselves) have largely given
way to exploit after exploit, flaw after flaw, to the point
where you just can't place any trust in the ability of a browser
to safely execute remote code. No one knows whether we've got
it right; they've just added lots of band-aids, and some of the
problems seem to have gone away... but all you can really do is
pray. Even today, and even running Java applets written without
any malicious intent, browsers still crash!
I suggest that the reason no one knows whether we've got it right
is that there is no formal model. There is no proof, or even an
attempt at a proof, that has been made about the security properties
of Java (to my knowledge), probably because the system is too
complex and perhaps even inadequately specified. Certainly no such
formalism was prepared and rigourously studied before the Java
security model was built, or we would be able to make confident
claims about its security today.
But these problems have been studied, and they have been studied
formally. More work needs to be done, but what has been done is
very worth looking at.
What PopularPower needs to solve here is the confinement problem:
how are we to establish a confined environment in which a remote
application can run, with the least authority it needs to run,
and without the ability to leak its input data? The confinement
problem is described briefly here:
http://www.cis.upenn.edu/~KeyKOS/Confinement.html
KeyKOS solved the confinement problem, and you will probably find
documents describing KeyKOS very worthwhile. EROS is a current
open source project based on many of the ideas of KeyKOS. (KeyKOS
also had orthogonal persistence, and there is an amusing story
about that at http://www.eros-os.org/project/novelty.html.)
Here are some good references on capability-based security:
http://www.mediacity.com/~norm/CapTheory/index.html
http://www.cis.upenn.edu/~KeyKOS/
http://eros.cis.upenn.edu/
http://www.erights.org/elib/capability/index.html
http://www.erights.org/elib/capability/ode/index.html
-- ?!ng
This archive was generated by hypermail 2b29 : Tue May 02 2000 - 01:06:41 PDT