[Cryptography] Simpler programs?

Guido Witmond guido at witmond.nl
Sat Apr 19 05:11:20 EDT 2014 

On 04/19/14 06:55, Ben Laurie wrote:
> On 19 April 2014 04:04, Bill Frantz <frantz at pwpconsult.com> wrote:

>> Polaris worked this
>> way, with no changes to Windows or to the applications.
> 
> My understanding is that a powerbox is a way for an application to get
> at a users stuff (which includes things like network access). Files
> are an attractive example, because its clear how you create a seamless
> replacement. In a windowed environment. Kinda (e.g. what about
> temporary files? shared libraries? dictionaries? users do not want to
> be choosing these thing by hand).

I'll give it a try:

Temporary file space: at start-up each process is handed a
file-descriptor to a file in /tmp. The process is free to use it as it
sees fit, for example, the process can run a simple filesystem in it, or
use it as a key/value store. The kernel hands the file and reclaims it
at process exit. With an an in-process fs-driver-library, it saves on
kernel overhead at access. These savings might outweigh the cost of
startup and teardown of the tmp-file.

Spool files: Files that need to be preserved after process exit should
be stored in a spool-directory. This is to be set up at program install
time, according to a FHS.

Windows: each process is handed a file descriptor to the Wayland
process. The parent process can ask Wayland (not X) for a fd, set some
limits to size and position. The parent is responsible for closing.

Libraries: who cares what libraries the process can access. If there is
a remote code execution bug, the attacker can upload anything they like.
Protection should not come from withholding code, it should come from
withholding access to resources and the users' data.

Network access: Parent process gets asked for a network socket. Parent
verifies request and opens the connection. It hands a fd to the child.

But at this point, it's no longer a unix. I understand where the pain
comes from. There is only so much POLA to be retrofitted at unix.


Regards, Guido.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140419/c99ae32e/attachment.pgp>

More information about the cryptography mailing list