[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ANNOUNCE] Introducing Codezero
From: |
olafBuddenhagen |
Subject: |
Re: [ANNOUNCE] Introducing Codezero |
Date: |
Tue, 10 Nov 2009 14:23:33 +0100 |
User-agent: |
Mutt/1.5.19 (2009-01-05) |
Hi,
On Sun, Nov 08, 2009 at 04:53:00AM +0100, Bas Wijnen wrote:
> On Wed, Nov 04, 2009 at 07:01:42AM +0100, address@hidden
> wrote:
> > On Tue, Jul 28, 2009 at 08:37:36AM +0200, Bas Wijnen wrote:
> > > For me, supporting encapsulation is extremely important. It means
> > > that a user can start a program in a safe way. Even if the
> > > program is malicious, and somewhere on the system is an other
> > > malicious program which would like to work together with it, it is
> > > impossible because they cannot talk.
> >
> > This is nice in theory, but doesn't really work in practice, because
> > of covert channels. All you can really do is make it more tricky,
> > and limit the rate at which the malicious components can
> > communicate; but not prevent it entirely. This makes me question
> > whether it's even worthwhile to try building a system around this...
> >
> > Note that I do believe in limiting what potentially malicious
> > programs can do in the first place. I'm just sceptical about trying
> > to prevent cooperation between potentially malicious programs.
>
> Yes, I agree. However, I'm not building a system around preventing
> this attack. I'm building it around "doing what the user wants".
> This means that a program started by the user must not be compromised
> by some other program, even if that other program is malicious. For
> this, encapsulation (of the malicious program) is required.
Of course... But that totally misses my point :-)
I was explicitely talking *only* about the fact that I don't believe
it's worthwhile to try preventing covert channels at any costs (as some
will be left in any case); and thus don't think the channels created by
the resource management approach in Viengoos are a real problem.
> In X, any client can hijack all events on the server, and effectively
> take over the X interface of any other client, which includes sniffing
> passwords.
Actually it's not possible anymore when using the (fairly recent) X
security infrastructure, which can (for example) apply selinux rules in
X.
Of course selinux is a pain... But that's a different story :-)
-antrik-