From: Kragen Sitaker (kragen@pobox.com)
Date: Tue May 02 2000 - 13:58:27 PDT
Adam Beberg writes:
> On Tue, 2 May 2000, Ka-Ping Yee wrote:
> > And what reason do i have to trust this sandbox? If it protects
> > my computer as well as a "Web browser protects [me] from malicious
> > code", that's pretty dismal.
>
> No reason at all. Have you ever seen children keep all the sand in a
> sandbox? I bet not. No computer scientist has ever seen it happen
> either. Despite all the proof-carrying code, sandboxing, "safe"
> compilers, none of them work, or can work, for a very simple reason:
>
> It's the operating system stupid.
>
> The operating system is the only part of the system that can enforce any
> kind of working security.
I suppose that depends on your definition of "working security".
It is trivially true that I can read data from untrusted people without
compromising my machine. ASCII text, HTML without executable content,
etc.
It is still true that I can run malicious code in, say, a
Turing-machine emulator or lambda-expression evaluator, without
worrying about security. I don't even have to worry about
proof-carrying code or sandboxing.
I can even safely run malicious code in a PostScript interpreter or in
groff as long as I have turned off filesystem access and other
nasties. (And as long as I have a sensible scheduler, and massive
mallocs won't kill my box, etc. --- although even these can be taken
care of by the interpreter.)
The nasty stuff starts happening in a few cases:
- when I have big interfaces between the malicious code and the rest of
the system --- e.g. a full-featured system-call interface.
- when I'm trying to run code at different protection levels in the
same interpreter.
- when I'm trying to run code faster by proving things about it so I
don't have to check them all the time, which is especially useful if
I'm also compiling into native machine code.
When you start doing these things, the likelihood of a
security-breaking bug in your interpreter soars. I don't think Java is
likely to get secure any time soon.
> If the OS has a flawed security model, you're screwed, period.
You're only screwed if your interpreter also has a flawed security
model or implementation.
I agree that the OS is a better place to do this, because it gives you
the ability to run native code securely. (Assuming your CPU or MMU or
RAM (or, with VIA, your network card) doesn't have a flawed security
model or implementation.)
EROS is the most interesting thing happening in this regard at the
moment, I think, although Subterfugue and Janus have promise too.
-- <kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/> The Internet stock bubble didn't burst on 1999-11-08. Hurrah! <URL:http://www.pobox.com/~kragen/bubble.html> The power didn't go out on 2000-01-01 either. :)
This archive was generated by hypermail 2b29 : Tue May 02 2000 - 13:59:02 PDT