[Cryptography] Open Source Sandboxes to Enforce Security on Proprietary Code?
Ben Laurie
ben at links.org
Sun Aug 17 21:16:12 EDT 2014
On 15 August 2014 06:42, Kent Borg <kentborg at borg.org> wrote:
> Designing in end-to-end encryption is a good idea, but just because there is
> a claim that some product employs end-to-end encryption, why should any
> customer believe it?
>
> With open source programs there is a go-check-for-yourself response that,
> though it might not be practical, does pose a risk of discovery to those who
> might want to try to quietly inject a backdoor.
>
> But that doesn't do any good in assuring that a proprietary product is in
> anyway secure.
>
> Is there any work going on to build an open/closed hybrid, where a the
> closed source portion of the code is in a restricted sandbox that can't talk
> to the outside world, except through limited facilities provided by the open
> source portion, a part that is susceptible to go-check-for-yourself
> auditing?
https://www.cl.cam.ac.uk/research/security/capsicum/ (and work is
under way to port to Linux)
https://www.cl.cam.ac.uk/research/security/ctsrd/ (not exactly
theoretical, but not really deployable yet either)
More information about the cryptography
mailing list