--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAJ7XQb696GsEA13_pyr5kCWCFh5UQwsB5AkErjxP4iU0MBGzNw%40mail.gmail.com.
The problem is, I also need to know exactly what the code is going to
do with it, not just that it wants refined access.
Code can
maliciously leak stuff. Code can also even accidentally leaks stuff,
too.
To me it is all from a UX security perspective still very much a
bit of a bad joke to have all these fine-grained popups on our
devices. What good does it do me, really? What good does it do overall
when people get worn down by them in the first week?
I don't think we
should just leave the barn doors open, no, and I do believe in
defense-in-depth vs. crimes of opportunity. Tho with digital copies
one fundamentally cannot ever take the data back / scour it after
being leaked.
The only way to win is not to play. I wish all security
presentations started with that quote on the first slide just to be
clear and honest. /grumpytoday.
On Thu, Aug 11, 2022 at 1:31 PM Raoul Duke <rao...@gmail.com> wrote:The problem is, I also need to know exactly what the code is going to
do with it, not just that it wants refined access.What? IIUC, I could not disagree more. The whole point of POLA is to bound risk by bounding authority. I need to know that a bound is enforced. I do *not* need to know exactly what it does within that bound.
--Code can
maliciously leak stuff. Code can also even accidentally leaks stuff,
too.We know how to prevent overt leakage, so I assume you're talking about non-overt channels.Aside from crypto keys, which should be specially protected anyway, we can and should generally engineer systems so that integrity does not depend on confidentiality. Authority should be access limited, not knowledge limited. For such systems done right, code can at most leak information, not access and authority.To leak even information over non-overt channels, there must be someone within earshot to read that non-overt channel.To me it is all from a UX security perspective still very much a
bit of a bad joke to have all these fine-grained popups on our
devices. What good does it do me, really? What good does it do overall
when people get worn down by them in the first week?Are you aware that this community practices POLA at the UI in a way that minimizes, not just such popups, but minimizes all interaction rituals that a user would understand as being only about security?I don't think we
should just leave the barn doors open, no, and I do believe in
defense-in-depth vs. crimes of opportunity. Tho with digital copies
one fundamentally cannot ever take the data back / scour it after
being leaked.Preventing information leakage (confidentiality) is indeed much harder than preventing authority leakage (integrity). And yes, with proper prearrangement authority can be revoked. Knowledge cannot be. Our security claims and practices need to take such constraints into account.The only way to win is not to play. I wish all security
presentations started with that quote on the first slide just to be
clear and honest. /grumpytoday.The game I care about is to facilitate cooperation, and to lower the risk of cooperation. Robust composition. For that game, to not play is to lose.Cheers,
--MarkM
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYj03Y5tzbETUmq1Qua0O_h2nkDi%2Bi_OrLTp_jOgUdi%2B-g%40mail.gmail.com.
On Aug 11, 2022, at 21:54:39, Raoul Duke <rao...@gmail.com> wrote:As soon as networking gets involved, it seems like all bets are off.
Asking me "can program foobar can talk to server foobar.com?" doesn't
really help me all that much, even if foobar==somewellknowncorp. I
mean i just rubber stamp things for the most part. There's no way I
can vet what they are doing on their side heaven knows. And the local
app in question could have been saving up all sorts of sneaky things
to splurt out over the network if I eventually allow it for some use
case of mine later on.
"Do you want to share image X? Then (a) give me
permission to read it locally [ok, i guess] and (b) give me permission
to use the network <utterly arbitrarily with no real restrictions
because, what, you are going to somehow audit each and every message
that goes over protobuf or something?> so i can send it, thanks!”
But yeah, dealing with legacy systems is a pain.
> Installersprobably also needs maybe a successful way to control hardware driver opaque binary blobs?
also, trust chains are weak links i feel. so many ways to do mitm on certs and obviously always a high target priority for every kind of tricky or $$$ overt penetration engineering.
CapROS has a system for running “out of the box” Linux drivers in domains, but I don’t know much about how it works. For systems with memory mapped I/O, the memory mapping may be enough to limit a process to just one I/O device.
There’s a lot if ifs here, but with proper hardware architecture, it should be possible to run untrusted I/O drivers. At a minimum you want to be able to isolate devices so a process/domain can be limited to only one device. You want any direct memory access system to be limited to specific pages and devices, the way we did in 370 KeyKOS.
Hi William, which OS do you use to build Coyotos?
Hi William, which OS do you use to build Coyotos?
On Mon, 15 Aug 2022 at 13:24, Bill Frantz <fra...@pwpconsult.com> wrote:
CapROS has a system for running “out of the box” Linux drivers in domains, but I don’t know much about how it works. For systems with memory mapped I/O, the memory mapping may be enough to limit a process to just one I/O device.
It exposes the PCI configuration space and resource maps for the driver as native capabilities:
On Mon, 15 Aug 2022 at 13:48, Raoul Duke <rao...@gmail.com> wrote:
Are any of the KeyKOS lineage something we could ever run today on
real hardware? That would be awesome i feel like. :)
https://en.wikipedia.org/wiki/KeyKOS
https://www.cis.upenn.edu/~eros goes to a 404
Neither of these are really ready to make a song and dance about yet.
CapROS almost builds, we need to update some of the included libraries: https://github.com/capros-os
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/2d1f99e1-aed0-c1d8-27f8-49d9fc1e5eb8%40charlielandau.com.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAJ7XQb7xfddsd0SvZQ0Q_OP2xUXX2HhZsWDxLbHWy7XMZGzf5w%40mail.gmail.com.
I believe that when it comes to retrofitting POLA, all to often the same wrong question gets asked."Why does potentially malicious application X need access to location Y where multiple entities store sensitive or not to be overwritten data?"When the question should be:"Why does entity Z need to use location Y to store sensitive or not to be overwritten data?"Some old slides from an abandoned project (slide 21 ..27 are most relevant).
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAMpet1UwonE4wX-4GbjUutQ6%2B%2B_FpR1-%2BuLXUZyHAB4-NiuZgA%40mail.gmail.com.
On Tue, Aug 16, 2022 at 12:08 AM Rob Meijer <pib...@gmail.com> wrote:I believe that when it comes to retrofitting POLA, all to often the same wrong question gets asked."Why does potentially malicious application X need access to location Y where multiple entities store sensitive or not to be overwritten data?"When the question should be:"Why does entity Z need to use location Y to store sensitive or not to be overwritten data?"Some old slides from an abandoned project (slide 21 ..27 are most relevant).That's a really good slideshow! Is there also a recorded talk? I'd love to watch it sometime.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYhGRy%2BkhKcmXyUMuMm-o%2BsD23aJpbcjxqPPgXrOtzW0ww%40mail.gmail.com.