[prev in list] [next in list] [prev in thread] [next in thread] 

List:       e-lang
Subject:    RE: [e-lang] Pola and GUI operations
From:       "Karp, Alan" <alan_karp () hp ! com>
Date:       2002-12-27 20:15:11
[Download RAW message or body]

> -----Original Message-----
> From: Norman Hardy [mailto:norm@cap-lore.com]
> Sent: Thursday, December 26, 2002 9:55 PM
> To: e-lang@mail.eros-os.org
> Subject: RE: [e-lang] Pola and GUI operations
> 
> 				(snip)
> > 
> > This case is what I'm worried about.  If the user agent can be 
> > subverted, then all hope is lost.  Letting me write the code for my 
> > user agent is giving me enough rope to hang myself.  The code 
> > running in the user agent must be written particularly carefully if 
> > I am to be sure it is loyal only to me.
> 
> In a good capability system the user agent can be subverted only if 
> it has a bug.  

Letting people write the code for their user agents is inviting such bugs.  I believe \
that something as critical as the user agent should run the smallest possible amount \
of code and should be provided as part of the platform.  Users, and even system \
administrators, should not have the capability to change this code.  Updates should \
only be done as part of a system refresh.

> I rely on my agent to be correct, but you don't rely on mine to be 
> correct, (as when we share a conputer). If I deal with secrets and 
> assets that others own, those others may specify my user agent. They 
> may well not trust my coding skills or they may demand that my 
> conveyance of authority be temporary by ensuring that capabilities 
> that I export be logged and rescindable.

Agreed.

> 
> I agree that it is an instance; I hope the code is shared. How would 
> an adversary replace it?
> 

"Hi, I'm from security.  You need to fix a security flaw in your system.  Please make \
the following modifications to the code in your user agent."

"Double click to see Sandra Bullock in the shower.  If the attachment doesn't open, \
please try again in your user agent."

The code is not shared if individuals can write the code for their own user agents.  \
Even if it is shared, the user is often the security administrator for the machine, \
and most users are naive about request such as the above.

> > > 				(snip)

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1141
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
 
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic