No, it can share settings. To make sure that these settings cannot be
used as a channel between instances, we can do something like this:

- there is a settings editor UI which is a separate component to the
rest of the browser. The confined instances never write to the settings
directly; they just have read-only access, plus the ability to make
the settings editor appear when the user asks for it (and it is not
already displayed).

- the settings editor has the ability to display a (labelled) window,
and its interface essentially acts as a function from old to new
settings. It doesn't need, and therefore doesn't have, any network
or filesystem access.

With two browser instances, the information flow in this system is:

<pre>

.----------------> [ user ] <----------------.
| ^ |
v | v
[ Internet ] v [ intranet ]
[ browser ] <---- [ settings editor ] ----> [ browser ]
^ | | ^
| | | |
| '---------> [ virus checker ] | |
| | | |
| v | |
| [ filesystem ] <-----------' |
| |
v v
( Internet ) <-------> [ VPN bridge ] <------> ( intranet )

</pre>

Note that information cannot get from the network cloud to the filesystem
other than:
- via the virus checker;
- via the VPN bridge;
- by the user cutting and pasting (or retyping) between applications.

I think that cutting and pasting is probably out of scope for this problem,
although it could be addressed in something like the EROS Window System
design: <http://www.sagecertification.org/events/sec04/tech/shapiro.html>.

I imagine that a capability-based desktop environment would already have a
framework implementing the above, because it is such a common requirement to
be able to share settings between otherwise confined application instances.

(The problem statement begs the question of why you would not want the files
saved by the intranet browser also to be virus checked -- bearing in mind
that false positive virus indications are quite common, and would need to be
overridable by the user in any case. But hopefully the advantage of being
able to prevent direct communication between application instances, while
still allowing them to share settings, is clear in any case.)

Note that routinely separating the settings editor for each application from
the rest of the app has some other advantages: it would make it easier to
manage (back up, roll back, share between user accounts, limit according to
organisational policy) settings in a uniform way for all applications.
This could well improve usability, compared to the mess of settings handled
differently by each app in current operating systems.
That's why I said 'add a hook to the browser's powerbox'. Running some
boolean predicate on file contents before allowing them to be saved is
such an obviously useful facility, then we can reasonably expect it to
have been anticipated. (In fact, it's insane that virus checkers don't
already work that way.) If we have more than one predicate to run, we can
'and' them without requiring them to have knowledge of each other.

In any case, the powerbox that needs to be changed/hooked here is logically
part of the shell, not of the app.

Yes and no. I agree it would be difficult to analyze at some layers
(although some ISPs do it anyway), but given a "componentized" system
like EROS, the interposition of a filter can be done at *any* layer,
Ethernet, TCP/IP, post-decryption, file system, http and https protocols
can be implemented in their own components, between which a filter could
analyze requests/responses, etc.

However, I am assuming that we are designing the system from scratch to
enable these patterns (though any sufficiently componentized system
would probably suffice), and not trying to retrofit existing
applications into this usage model.

If you're trying to do this with Firefox, I think you'd have to
interpose a virus scanning filter in front of the file system. That may
not be enough if you keep the application running while you switch
networks though. Interesting challenge.

Sandro

I never said they were any good, just that they could, and try to, do it.
I'm also not talking about the OS enforcing anything, except providing
mechanisms for the applications to help the user enforce his policies.
I never said the OS would be aware of the keys or need to be. Take the
following componentized browser design:

...Rest of browser <-> http <--+-> network stream
| | |
File system +-SSL-+

In EROS, http, SSL, network stream, could be separate processes, and the
browser process constructor could accept capabilities to third-party SSL
and http components. So then why couldn't the user simply define a new
configuration with a third-party virus scanner that understands http:

...Rest of browser <-> virus scanner <-> http <--+-> network stream
| | |
Virus scanner +-SSL-+
|
File system

This is what I mean by "any sufficiently componentized" system. No, you
can't enforce such designs on all applications, but applications are
more likely to reuse existing abstractions than not (like the file
system), so eventually we might get there.

Hopefully, that clarifies my suggestion. I didn't think through the
initial suggestion of interposing on the Ethernet interface, but the
network interface could be used to launch the correct browser
configuration (with or without virus scanning).
I agree that it shouldn't be "built-in", and I wasn't suggesting that.
You could use the same pattern as above for each of these protocols, but
it requires a bit work to parse each protocol. Or an interposition on
something more coarse-grained and common to all of these applications:
the file system.
Sure, because that's saying, "here's how I would specifically design my
solution to circumvent the problem". I was instead saying, "here's how I
think a web browser would work under EROS, and how such
capability-secure designs can solve this and similar problems".
You didn't address my final suggestion for Firefox if you were seeking
backwards compatibility (interpose a scanner between the app and the
file system). The file system is a component in most OS's and
applications today, so it's similar to the above solution, but more
coarse grained.

Sandro

Agreed.
SSL, HTTP, HTML, IMAP, POP, and SMTP are all implemented in components of
Windows. Whether this is a good idea is a different question; I'm not holding
up Windows as an exemplar of anything other than that this is possible. Most
antivirus packages (e.g. Norton Antivirus and F-Secure at least) also interpose
on IMAP, POP and/or SMTP connections, using application-level gateways/proxies.

In any case, for the Mazieres challenge problem, I think it's fairly clear
that (regardless of how existing antivirus packages do it), the browser's
access to the filesystem is an easier and more reliable point at which to
enforce the virus checking, than by trying to interpose on arbitrary network
protocols.
Not even Windows implements the Kazaa protocol.

Let's say that's a webmail provider; then the email will be virus-checked
when the employee tries to save it to the filesystem from their web browser
instance that is configured to access the Internet. The challenge problem
is trying to enforce a coherent, in-principle enforceable security policy,
IMHO.

(It would be more robust to enforce the policy, "this filesystem contains
no files that have not been virus-checked", though. And not by periodically
checking all the files, which is a stupid way of failing to enforce that
constraint.)