[Cryptography] What do we mean by Secure?

Bill Frantz frantz at pwpconsult.com
Mon Feb 9 20:29:30 EST 2015 

On 2/9/15 at 8:23 AM, phill at hallambaker.com (Phillip 
Hallam-Baker) wrote:

>This is the wrong policy. You are never going to open those files, nor is
>your wife. You don't speak binary.
>
>Applications are going to open those files and what matters is that one
>application does not go rogue.
>
>We have the wrong metaphor for applications. They are not static objects,
>they are zombies or gollems . We can give them tasks, but their true
>masters are the wizards that originally brought them to life by their
>incantations.

This statement is absolutely correct. When KeyKOS was being 
reviewed as an Orange Bood candidate, Deborah Downs said 
something that suddenly made the whole Orange Book criteria make 
sense. She said, "We trust the users, they've been cleared. We 
don't trust the programs they run."


>Of course, I don't know of any system that would make such a policy viable.

There have been several such systems built. All of them enforce 
some level of least authority on applications. The Polaris 
system 
<http://www.hpl.hp.com/research/mmsl/projects/adv/polaris.html> 
is perhaps the most approachable for ordinary users.

What Polaris did was run applications in a separate new Windows 
userID and provide a "power box" which allowed the user to 
select files for the application to use.

A power box is a piece of code that runs with full user 
privileges and can pass resources selected by the user to the 
application that calls it. The Polaris power box added the new 
user ID to the file's access control list and gave the file name 
to the application, which could then open the file normally. The 
UI presented by the power box looked like a normal Windows file chooser.

This system was good enough to prevent Word/Excel viruses, 
although its security correctness depended on Windows security 
correctness. (I do want to separate discussions of 
function/policy from assurance. If we get useful 
function/policy, working on assurance is "a simple matter of 
engineering". :-)

People in HP Labs were test subjects for Polaris. One executive 
who volunteered to run it had a busy travel schedule. The result 
was that Polaris got installed on his computer before he had 
been trained in its use. After he had been using polaris for 
about a week he asked when it was going to be installed. He 
hadn't noticed any differences from normal WIndows.

Polaris was offered to Microsoft, but they decided not to 
include it as part of Windows. HP did not consider itself to be 
a software company, so Polaris disappeared into that vast sea of 
good ideas that didn't go anywhere.

Cheers  - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032

More information about the cryptography mailing list