Subject: Re: [e-lang] capability myths demolished!

From: Ben Laurie <ben@algroup.co.uk> · Date: Fri, 06 Dec 2002 18:00:18 +0000

marcs wrote:
> On Sunday 01 December 2002 08:47 am, Jonathan S. Shapiro wrote:
> 
>>On Thu, 2002-11-28 at 12:47, marcs wrote:
>>
>>>A point I have started making since the advent of Palladium is that  
>>
> checking 
> 
>>>in with the central HQ about the good standing of the author does not  
>>
> solve 
> 
>>>all the problems... 
>>
>>Then please stop making this point in this way, as this has nothing
>>whatsoever to do with Palladium. In the Palladium scheme, there is
>>generally no per-transaction check with a central source and the
>>originating authority does not make any certification whatsoever about
>>the good standing of the target machine.
>>
>>Your point is sound and worth making, but it has nothing to do with
>>Palladium and it will become discredited as people figure that out.
> 
> 
> While I immediately cede the point wrt the way I stated it above, it still 
> seems to me that the overall point does have something to do with Palladium. 
> If Palladium uses code-signing as the mechanism for establishing trust and 
> allowing execution, but still lets the operating system grant gross excesses 
> of authority once this primitive test has been passed, simple programming 
> bugs in a Palladium universe will continue to present rich targets for 
> cracker exploitation. Is this true, or is my understanding of Palladium even 
> more wildly wrong than I had thought? I.e., its security stance is based on 
> code signing, right?

Kinda.  The point is that your machine will sign the code it is running 
and communicate that signature to a third party, which can then use that 
signature to decide whether to provide services to your machine or not.

This doesn't invalidate your point (i.e.  its highly likely that bugs in 
the code can then be used to subvert the whole process), but your 
assumption that code-signing is used to control executation in Palladium 
is flawed (however, it is possible to implement that, of course, it just 
isn't what Palladium brings to the party).

Remember that the point about Palladium is trust in your machine. Not 
_your_ trust, unfortunately. Disney's. 

Cheers, 

Ben. 

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang