[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Microsoft ammunition
At 12:49 PM 3/28/97 -0800, Bill Frantz wrote:
> Whether your personal files are stored on a
>local disk or on a server doesn't matter. What matters is whether random
>downloaded code (again, Java or ActiveX doesn't matter) can use your
>authority to read/modify those files. The ActiveX model of, "It's signed
>by XYZ Corp. Of course it's safe." is so much bullshit.* The Java
>approach of running untrusted code in a safe box is better, but doing it by
>validating the safety of object code requires trusting a large complex
>verifier.
JavaSoft has moved into the right direction. Their JECF is largely
capabilities based and in fact, Java security in general in moving towards
capabilities. That won't help you against attacks via the underlying
insecure OS, such as Windows 95/NT, MacOS, or UN*X which the typical user
will be running, but it is miles ahead of the initial sandbox model.
>* See Norm Hardy's paper, "The Confused Deputy", which I believe is still
>available through the EROS page at the University of Pennsylvania.
I was a talk by Norm that made me see the light. Secure computing requires
capabilities. And there is anecdotal evidence that it was Norm who
indirectly pointed JavaSoft to the solution to their leaking sandbox problem.
Time for my usual plug: if you are unfamiliar with capabilities based
operating systems or don't know why they are the only currently available
solution to a whole host of computer security problems, do a search for
"KeyKOS". It should get you started.
-- Lucky Green <mailto:[email protected]> PGP encrypted mail preferred
"I do believe that where there is a choice only between cowardice and
violence, I would advise violence." Mahatma Gandhi