9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
From: Richard <greon@best.com>
To: 9fans@cse.psu.edu
Subject: [9fans] capability-based design (Re: permissions idea)
Date: Thu,  4 Oct 2001 11:36:07 -0700	[thread overview]
Message-ID: <E15pDLr-0001oG-00@localhost> (raw)
In-Reply-To: <3BB8BCC0.CC5C9FC2@null.net>

Douglas A. Gwyn writes:

>  The only
>viable solution I know of is for *every* mode of access
>to *every* object to require the accessor to possess an
>appropriate "capability".

word.  let me give the reader a little taste of capability-based
design, for those who might not know it.  In a capability-based OS, a
program does not have free access to the filesystem.

suppose that in Plan 9 the shell and the rm command were rewritten so
that in the execution of the command

  rm foobar

the shell opened the file foobar and passed the open file descriptor to
rm.  (this would of course mean expanding the argc/argv interface so
that not only strings but also file descriptors can be passed in.)
suppose further that all commands worked this way, and that the OS
prevented commands (programs) from directly opening files.  well, more
precisely, suppose that the open subroutine would obtain the user's
permission before opening the file.

in such an OS, a command cannot modify the filesystem behind the user's
back.  in contrast, in Unix and Plan 9, a command written by a malicious
programmer can, eg, erase or introduce errors into a user's data files.

the risk of inadvertently running a malicious program is not a big
problem in practice for many of us, so the reader might not be attracted
to the idea of changing things just to avert that risk.  note though
that the capability ("capa") design averts the risk without adding a lot
of new code (as the stupid idea of digital immune systems does), but
rather mainly by readjusting the interface between shell and command.
elegant!

a more practical benefit of the capa approach that might appeal more to
the average desktop user is the discipline it imposes on app writers.
specifically, the app must asks permission (from the OS, which
then might ask the user) before doing anything significant to the user's
software environment.  

eg, if a community of users got into the habit, for example, of guarding
the ability to display animated graphics behind a capability, then an
app writer who wanted to distribute an app into that community would
have to write code that explicitly asks permission to display
animations, even if the app already had permission to write static
graphics to the screen.

another, classic example is that if you install Internet Explorer on
Windows, it or its installer is free to fuck up your already-installed
Netscape.  in a capa OS, the IE installer cannot make IE your default
browser without obtaining permission.  this restriction is enforced by
the kernel just like the restriction that the IE installer cannot access
memory belonging to another process.

a typical desktop computer is used by only one person but contains apps
written by thousands of programmers.  if you are like me, you would like
app writers to have less power over the other apps on your desktop and to
make fewer assumptions about your software environment.  this of course,
takes us outside of security per se, into the realm of giving users
more control over apps, not by exhorting app writers to change, but
by introducing a new platform that forces them to change or else
their code does not run.



  parent reply	other threads:[~2001-10-04 18:36 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-09-28  1:06 [9fans] on the topic of viruses dmr
2001-09-28  9:58 ` Boyd Roberts
2001-10-01 16:13   ` permissions idea (Re: [9fans] on the topic of viruses) Matthew Hannigan
2001-10-01 16:18     ` Matthew Hannigan
2001-10-02  8:34     ` Douglas A. Gwyn
2001-10-02 15:11       ` Matthew Hannigan
2001-10-04 18:36       ` Richard [this message]
2001-09-28 14:23 ` [9fans] on the topic of viruses Bobby Dimmette
2001-09-28 18:44   ` Boyd Roberts
2001-09-28 20:35     ` Bobby Dimmette
2001-10-01  9:55       ` Douglas A. Gwyn
2001-10-01 10:40         ` Boyd Roberts
2001-10-01  9:55 ` Douglas A. Gwyn
2001-10-04 19:28 [9fans] capability-based design (Re: permissions idea) rog
2001-10-04 20:27 ` Richard
2001-10-04 20:33 ` Richard
2001-10-04 21:59 forsyth
2001-10-04 23:29 ` Richard
2001-10-04 23:57 Richard
2001-10-05  4:00 okamoto
2001-10-08 16:53 ` Maarit Maliniemi 
2001-10-05  5:31 nigel
2001-10-05  7:40 ` Richard
2001-10-08  9:36   ` Thomas Bushnell, BSG
2001-10-05  8:13 nigel
2001-10-05 16:44 ` Richard
2001-10-05 17:12 Russ Cox
2001-10-08 18:16 Sape Mullender
2001-10-08 18:18 ` Lucio De Re
2001-10-09  2:06 okamoto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E15pDLr-0001oG-00@localhost \
    --to=greon@best.com \
    --cc=9fans@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).