Immunity from Viruses:Safety from Geeks Bearing Gifts

Mark S. Miller

Open Source Coordinator, ERights.org

CTO, Combex Inc.

MS's 1st Immutable “Law”

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. [...] Once a program is running, it can do anything, up to the limits of what you yourself can do on the machine. [...] It could open every document on the machine, and change the word "will" to "won't" in all of them. [...] It could install a virus. It could create a "back door" that lets someone remotely control your machine. [...]

That's why it's important to never run, or even download, a program from an untrusted source [...]

POLA: The Goldilocks Principle

IntegratableUseful

IsolatedUseless

Caplets:Least Authority

Applets:No Authority

Applications,Signed Code:Full Authority

SafeDangerous

Which is Normal?

The Equivalence Myth

Alice

Bob

Carol

reading/etc/passw d

editing~markm/foo/*

reading/etc/motd

Access Control List (ACL) =

Alice

Bob

Carol

reading/etc/passwd

editing~markm/foo/*

reading/etc/motd

= Capability List = variables in scope

class Alice { void someMethod() { //… bob.foo(carol); }}

Capability Security:Only Connectivity Begets Connectivity

Alice

Carol

Bob • By Introduction– ref to Carol– ref to Bob– decides to share

• By Parenthood

• By Construction

• By Initial Conditions• Absolute Encapsulation• Only source of authority

Untangling the Myth

SPKI

by Principal

Dynamic

Composable

Names & Authority Confusable

Alice-Bob link? Confinable

MatrixACLs

Matrix Caps

Caps inpractice

by Rsrc vs Principal

Static vs Dynamic

Resource vs Object

Capabilities == O-O Security

Capability discipline -> good software engineering

No static mutable state -> fewer “per” errors

POLA -> good modularity

- required trust is a form of dependency

- loose coupling -> reducing dependencies

Information hiding -> “need to know”

POLA -> “need to do”

Dynamic Distributed Messaging

Object

Capability

Message

Vat

Process /Machine

Crypto Capabilities

The 4 Delegation Problems

Alice

Bob

Mallet

Power

M P

?M P

M P

?

Communicating Conspirators

Confused Deputy

ConfinementPerimeter Security

SPKI as anOff-line Semi-Capability System

Issuer

Subject

Resource

Certificate

Authorization

• Unconfinable ref to Bob/Subject

• Off-line

• Auditable

• Heavyweight

Rights Amplification

Unsealer

Sealer

1

seal

3unseal

2

4

Tuna

? define [sealer, unsealer] := BrandMaker pair("MarkM")# value: [<MarkM sealer>, <MarkM unsealer>]

? define envelope := sealer seal("Tuna")# value: <sealed by MarkM>

? unsealer unseal(envelope)# value: Tuna