[Cryptography] What do we mean by Secure?
Bill Frantz
frantz at pwpconsult.com
Mon Feb 9 20:29:30 EST 2015
On 2/9/15 at 8:23 AM, phill at hallambaker.com (Phillip
Hallam-Baker) wrote:
>This is the wrong policy. You are never going to open those files, nor is
>your wife. You don't speak binary.
>
>Applications are going to open those files and what matters is that one
>application does not go rogue.
>
>We have the wrong metaphor for applications. They are not static objects,
>they are zombies or gollems . We can give them tasks, but their true
>masters are the wizards that originally brought them to life by their
>incantations.
This statement is absolutely correct. When KeyKOS was being
reviewed as an Orange Bood candidate, Deborah Downs said
something that suddenly made the whole Orange Book criteria make
sense. She said, "We trust the users, they've been cleared. We
don't trust the programs they run."
>Of course, I don't know of any system that would make such a policy viable.
There have been several such systems built. All of them enforce
some level of least authority on applications. The Polaris
system
<http://www.hpl.hp.com/research/mmsl/projects/adv/polaris.html>
is perhaps the most approachable for ordinary users.
What Polaris did was run applications in a separate new Windows
userID and provide a "power box" which allowed the user to
select files for the application to use.
A power box is a piece of code that runs with full user
privileges and can pass resources selected by the user to the
application that calls it. The Polaris power box added the new
user ID to the file's access control list and gave the file name
to the application, which could then open the file normally. The
UI presented by the power box looked like a normal Windows file chooser.
This system was good enough to prevent Word/Excel viruses,
although its security correctness depended on Windows security
correctness. (I do want to separate discussions of
function/policy from assurance. If we get useful
function/policy, working on assurance is "a simple matter of
engineering". :-)
People in HP Labs were test subjects for Polaris. One executive
who volunteered to run it had a busy travel schedule. The result
was that Polaris got installed on his computer before he had
been trained in its use. After he had been using polaris for
about a week he asked when it was going to be installed. He
hadn't noticed any differences from normal WIndows.
Polaris was offered to Microsoft, but they decided not to
include it as part of Windows. HP did not consider itself to be
a software company, so Polaris disappeared into that vast sea of
good ideas that didn't go anywhere.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list