[Cryptography] Simpler programs?
Ben Laurie
ben at links.org
Sat Apr 19 05:43:58 EDT 2014
On 19 April 2014 10:11, Guido Witmond <guido at witmond.nl> wrote:
> On 04/19/14 06:55, Ben Laurie wrote:
>> On 19 April 2014 04:04, Bill Frantz <frantz at pwpconsult.com> wrote:
>
>>> Polaris worked this
>>> way, with no changes to Windows or to the applications.
>>
>> My understanding is that a powerbox is a way for an application to get
>> at a users stuff (which includes things like network access). Files
>> are an attractive example, because its clear how you create a seamless
>> replacement. In a windowed environment. Kinda (e.g. what about
>> temporary files? shared libraries? dictionaries? users do not want to
>> be choosing these thing by hand).
>
> I'll give it a try:
>
> Temporary file space: at start-up each process is handed a
> file-descriptor to a file in /tmp. The process is free to use it as it
> sees fit, for example, the process can run a simple filesystem in it, or
> use it as a key/value store. The kernel hands the file and reclaims it
> at process exit. With an an in-process fs-driver-library, it saves on
> kernel overhead at access. These savings might outweigh the cost of
> startup and teardown of the tmp-file.
>
> Spool files: Files that need to be preserved after process exit should
> be stored in a spool-directory. This is to be set up at program install
> time, according to a FHS.
>
> Windows: each process is handed a file descriptor to the Wayland
> process. The parent process can ask Wayland (not X) for a fd, set some
> limits to size and position. The parent is responsible for closing.
>
> Libraries: who cares what libraries the process can access. If there is
> a remote code execution bug, the attacker can upload anything they like.
> Protection should not come from withholding code, it should come from
> withholding access to resources and the users' data.
>
> Network access: Parent process gets asked for a network socket. Parent
> verifies request and opens the connection. It hands a fd to the child.
This is what Casper is for in FreeBSD. The parent gets to decide which
Casper the child is using (which could simply be the parent). But this
doesn't really solve the problem of what the parent (or Casper) grants
and why.
The nice thing about the file powerbox is you capture the user's
intent through a familiar and reasonably clear interaction. Network
sockets are trickier.
> But at this point, it's no longer a unix. I understand where the pain
> comes from. There is only so much POLA to be retrofitted at unix.
True, but we can do all of the above with Capsicum (which is a Unix retrofit).
More information about the cryptography
mailing list