David Wagner
2006-12-12 08:50:04 UTC
MarkM has been looking around for security challenge problems.
I've got one to add to the list. I've been having an email
conversation with David Mazieres about the HiStar system, and he
raised an interesting problem that I think fits the bill.
You've got a laptop. While travelling, you sometimes connect
to the public Internet unprotected ("skinnydipping"). While at
home, you sometimes connect to your work's intranet over a VPN.
The desired security policy is this: any data you got over the
public Internet must be scanned with a virus scanner before it
can be sent to your work's intranet via the VPN.
Question: How do we enforce this policy? Of course, the real
question is how a capability system can be used to enforce this
desired policy, and whether capabilities provide any extra leverage.
In David Mazieres' formulation, he wanted an OS solution that
would work with legacy applications, but we could presumably
relax that a bit. For instance, if you've got in mind a hypothetical
capability-based desktop, a la CapDesk, then we could ask how your
desktop could enforce this policy without making unreasonable changes
to all your applications.
Any takers?
(My first reaction: This problem is orthogonal to the kinds of
problems that capability systems usually try to solve. Consequently,
capability systems might not have any special advantage at enforcing
this kind of policy. That seems ok; capabilities aren't a silver
bullet, and they don't solve every problem in the world. But maybe
others have a different reaction, or can see some clever way in which
capabilities would make this problem easier to solve.)
I've got one to add to the list. I've been having an email
conversation with David Mazieres about the HiStar system, and he
raised an interesting problem that I think fits the bill.
You've got a laptop. While travelling, you sometimes connect
to the public Internet unprotected ("skinnydipping"). While at
home, you sometimes connect to your work's intranet over a VPN.
The desired security policy is this: any data you got over the
public Internet must be scanned with a virus scanner before it
can be sent to your work's intranet via the VPN.
Question: How do we enforce this policy? Of course, the real
question is how a capability system can be used to enforce this
desired policy, and whether capabilities provide any extra leverage.
In David Mazieres' formulation, he wanted an OS solution that
would work with legacy applications, but we could presumably
relax that a bit. For instance, if you've got in mind a hypothetical
capability-based desktop, a la CapDesk, then we could ask how your
desktop could enforce this policy without making unreasonable changes
to all your applications.
Any takers?
(My first reaction: This problem is orthogonal to the kinds of
problems that capability systems usually try to solve. Consequently,
capability systems might not have any special advantage at enforcing
this kind of policy. That seems ok; capabilities aren't a silver
bullet, and they don't solve every problem in the world. But maybe
others have a different reaction, or can see some clever way in which
capabilities would make this problem easier to solve.)