Immunity from Viruses: Safety from Geeks Bearing Gifts Mark S. Miller Open Source Coordinator,...
-
Upload
chloe-lucas -
Category
Documents
-
view
214 -
download
1
Transcript of Immunity from Viruses: Safety from Geeks Bearing Gifts Mark S. Miller Open Source Coordinator,...
Immunity from Viruses:Safety from Geeks Bearing Gifts
Mark S. Miller
Open Source Coordinator, ERights.org
CTO, Combex Inc.
MS's 1st Immutable “Law”
If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful. [...] Once a program is running, it can do anything, up to the limits of what you yourself can do on the machine. [...] It could open every document on the machine, and change the word "will" to "won't" in all of them. [...] It could install a virus. It could create a "back door" that lets someone remotely control your machine. [...]
That's why it's important to never run, or even download, a program from an untrusted source [...]
POLA: The Goldilocks Principle
IntegratableUseful
IsolatedUseless
Caplets:Least Authority
Applets:No Authority
Applications,Signed Code:Full Authority
SafeDangerous
Which is Normal?
The Equivalence Myth
Alice
Bob
Carol
reading/etc/passw d
editing~markm/foo/*
reading/etc/motd
Access Control List (ACL) =
Alice
Bob
Carol
reading/etc/passwd
editing~markm/foo/*
reading/etc/motd
= Capability List = variables in scope
class Alice { void someMethod() { //… bob.foo(carol); }}
Capability Security:Only Connectivity Begets Connectivity
Alice
Carol
Bob • By Introduction– ref to Carol– ref to Bob– decides to share
• By Parenthood
• By Construction
• By Initial Conditions• Absolute Encapsulation• Only source of authority
Untangling the Myth
SPKI
by Principal
Dynamic
Composable
Names & Authority Confusable
Alice-Bob link? Confinable
MatrixACLs
Matrix Caps
Caps inpractice
by Rsrc vs Principal
Static vs Dynamic
Resource vs Object
Capabilities == O-O Security
Capability discipline -> good software engineering
No static mutable state -> fewer “per” errors
POLA -> good modularity
- required trust is a form of dependency
- loose coupling -> reducing dependencies
Information hiding -> “need to know”
POLA -> “need to do”
Dynamic Distributed Messaging
Object
Capability
Message
Vat
Process /Machine
Crypto Capabilities
The 4 Delegation Problems
Alice
Bob
Mallet
Power
M P
?M P
M P
?
Communicating Conspirators
Confused Deputy
ConfinementPerimeter Security
SPKI as anOff-line Semi-Capability System
Issuer
Subject
Resource
Certificate
Authorization
• Unconfinable ref to Bob/Subject
• Off-line
• Auditable
• Heavyweight
Rights Amplification
Unsealer
Sealer
1
seal
3unseal
2
4
Tuna
? define [sealer, unsealer] := BrandMaker pair("MarkM")# value: [<MarkM sealer>, <MarkM unsealer>]
? define envelope := sealer seal("Tuna")# value: <sealed by MarkM>
? unsealer unseal(envelope)# value: Tuna