[prev in list] [next in list] [prev in thread] [next in thread]
List: cap-talk
Subject: Re: [cap-talk] Shill: capability-based shell
From: Scott Moore <sdmoore () fas ! harvard ! edu>
Date: 2014-09-25 21:52:52
Message-ID: CANCm3+LiXRHuAnGQXY0ypqOCyzaJGOk=JxDzpq5Ew-5HhChZgQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Bill,
Yes, you're right that you need to look at a bit more than the contract for
that particular security goal. The actual script is careful not to grant
this capability to student programs directly, but appends per-submission
log files onto the log. We probably should have clarified that further in
the paper, and used a more specific "append-only" capability for the script
as a whole... Good catch.
Cheers,
Scott
On Thu, Sep 25, 2014 at 5:49 PM, Bill Frantz <frantz@pwpconsult.com> wrote:
> On 9/25/14 at 9:45 AM, sdmoore@fas.harvard.edu (Scott Moore) wrote:
>
> Hi all,
>> I'm part of the team working on Shill. I'm happy to answer any questions
>> and we're very excited to hear what cap-talk thinks!
>> Cheers,
>> Scott
>>
>> On Thursday, September 25, 2014, Tony Arcieri <bascule@gmail.com> wrote:
>>
>> Apologies if this has been discussed before but It's New To Me(TM), and
>>> relevant to the recent "Shellshock" escapades with bash:
>>>
>>> http://shill.seas.harvard.edu/
>>>
>>> --
>>> Tony Arcieri
>>>
>>
> In looking at your paper <http://shill.seas.harvard.
> edu/shill-osdi-2014.pdf>, figure 1, it appears that the grade instance
> has full write access to the grade_log. I interpret this to mean that a
> student program could overwrite or otherwise corrupt the grade_log. This is
> similar to the problem Norm Hardy addressed with his "Confused Deputy"
> paper.
>
> Don't get me wrong. I think Shill is addressing many of the right issues,
> is a useful contribution, and the above issue could be addressed in several
> ways within the Shill system.
>
> Cheers - Bill
>
> -----------------------------------------------------------------------
> Bill Frantz | Truth and love must prevail | Periwinkle
> (408)356-8506 | over lies and hate. | 16345 Englewood Ave
> www.pwpconsult.com | - Vaclav Havel | Los Gatos, CA 95032
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi Bill,</div><div>Yes, you're right that you need to look at \
a bit more than the contract for that particular security goal. The actual script is \
careful not to grant this capability to student programs directly, but appends \
per-submission log files onto the log. We probably should have clarified that further \
in the paper, and used a more specific "append-only" capability for the \
script as a whole... Good catch.</div><div>Cheers,</div><div>Scott<br><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 5:49 PM, \
Bill Frantz <span dir="ltr"><<a href="mailto:frantz@pwpconsult.com" \
target="_blank">frantz@pwpconsult.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 9/25/14 at 9:45 AM, <a \
href="mailto:sdmoore@fas.harvard.edu" target="_blank">sdmoore@fas.harvard.edu</a> \
(Scott Moore) wrote:<br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Hi all,<br>
I'm part of the team working on Shill. I'm happy to answer any questions<br>
and we're very excited to hear what cap-talk thinks!<br>
Cheers,<br>
Scott<br>
<br>
On Thursday, September 25, 2014, Tony Arcieri <<a href="mailto:bascule@gmail.com" \
target="_blank">bascule@gmail.com</a>> wrote:<br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Apologies if this has been discussed before but It's New \
To Me(TM), and<br> relevant to the recent "Shellshock" escapades with \
bash:<br> <br>
<a href="http://shill.seas.harvard.edu/" \
target="_blank">http://shill.seas.harvard.edu/</a><br> <br>
--<br>
Tony Arcieri<br>
</blockquote></blockquote>
<br></div></div>
In looking at your paper <<a \
href="http://shill.seas.harvard.edu/shill-osdi-2014.pdf" \
target="_blank">http://shill.seas.harvard.<u></u>edu/shill-osdi-2014.pdf</a>>, \
figure 1, it appears that the grade instance has full write access to the grade_log. \
I interpret this to mean that a student program could overwrite or otherwise corrupt \
the grade_log. This is similar to the problem Norm Hardy addressed with his \
"Confused Deputy" paper.<br> <br>
Don't get me wrong. I think Shill is addressing many of the right issues, is a \
useful contribution, and the above issue could be addressed in several ways within \
the Shill system.<br> <br>
Cheers - Bill<br>
<br>
------------------------------<u></u>------------------------------<u></u>-----------<br>
Bill Frantz | Truth and love must prevail | Periwinkle<br>
<a href="tel:%28408%29356-8506" value="+14083568506" \
target="_blank">(408)356-8506</a> | over lies and hate. | 16345 \
Englewood Ave<br> <a href="http://www.pwpconsult.com" \
target="_blank">www.pwpconsult.com</a> | - Vaclav Havel | Los \
Gatos, CA 95032<br> <br>
</blockquote></div><br></div></div></div>
_______________________________________________
cap-talk mailing list
cap-talk@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic