Re: .NET replays the ActiveX fiasco

Post #18,858 by neelk 11/19/01 6:09:49 PM Reply	Re: .NET replays the ActiveX fiasco You wrote: > Well, what would you have them do - trust nobody and get no useful work > done? I'd prefer a security model based on revokable capabilities, enforced via proof-carrying code. Some of this is rocket science, but Microsoft Research employs a substantial fraction of the world's population of type-theorists so it should definitely be within MS's ability to implement. Furthermore, the programmer UI doesn't require any rocket science: all the math lives in the compiler and the program loader. > Wasn't that the original Java applet model? Wasn't it eventually > extended to support authentication via trusted applets? Any idea why? No, Java had a sandbox which can control how much access even a trusted program can get. .NET basically copies this, except that it adds a mechanism -- "unverified assemblies" -- which permit programmers to sidestep the security mechanism. This is a [i]tremendously[/i] bad idea. You want to minimize the amount of trusted code in the system and the runtime, because making sure it works is really hard. Java had a pretty simple security system, and people have been fixing holes in it for years. The lesson is clear -- /minimize the trusted codebase/. (Dan Wang at Princeton has even invented a PCC mechanism that lets you take the garbage collector out of the trusted base. Tres cool.) > I'm surprised to learn that ActiveX is such an unsuccessful technology. > After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, > Shockwave, and several other popular ActiveX components, and those are just > the ones I downloaded. The total list of ActiveX components on this system > easily numbers in the hundreds, and includes such abysmal failures as Media > Player and Internet Explorer. This is why the ActiveX security system is a failure, actually. ActiveX is an all-or-nothing security scheme, which means that a single buffer overflow in a single trusted app compromises the entire system. The more code you have to trust the more likely you have a compromise which renders your security useless. It's just simple statistics. The existence of unverified assemblies, which permits programmers to easily add to the trusted codebase, means that it becomes impossible to verify that the .NET runtime can actually enforce the security guarantees it promises. And given their past behavior we can be sure that MS will use a lot of unverified assemblies in IE and Office and whatever app-of-the-week is at the head of their strategy. If I sound cynical it's because I am. :)
Post #18,912 by pwhysall 11/20/01 2:13:02 AM Reply	EzBug hangover? [i]tremendously[/i] We use real HTML here, Neel :-) Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #18,934 by neelk 11/20/01 9:46:41 AM Reply	Finger habits are hard to break. :)
Post #18,929 by neelk 11/20/01 9:03:04 AM Reply	typo fix I wrote: > I'd prefer a security model based on revokable capabilities, > enforced via proof-carrying code. This should read: > I'd prefer a security model based on explicitly granted capabilities, > enforced via proof-carrying code. Anyway, here's how this can work. Let's suppose that usability testing reveals that there are certain kinds of privilege grants that users can easily understand -- eg, something like "The program can only read and write files in the c:\\apps\\foobar directory", or "The program can only open network sockets to the foobar.com domain", and so on. When a user installs a program they check off which privileges they want to give it and then somehow the system makes sure that the program can't use resources it's not privileged to. So the way we can do this, is to turn each privilege into an object: eg, to open a file the program must call a method on an object that the runtime hands it. You can do a formal verification that the capability object does what it says -- the object code would come with a proof, generated by the compiler, that the loader would check. Then a type- and memory-safety proof for the program code (again, verified with a safety proof emitted as part of the compilation process) would ensure that it couldn't access any ungranted resources. This is a much better model than unverified assemblies, because it lets you extend the set of grantable capabilities without having to add any untrusted code to the system. The only code you have to trust is the proof verifier, which is small. Even the compiler doesn't have to be trusted, because if it emits buggy or false proofs the verifier will fail to accept the object code. Even better, you get the full performance of compiled machine code, with no need for a sandbox, since the proof is checked at load time, not runtime. Here's a general overview: [link\|http://www-106.ibm.com/developerworks/library/untrusted-code/\|[link\|http://www-106.ibm.com/developerworks/library/untrusted-code/\|http://www-106.ibm....rusted-code/]] And some links to research projects: [link\|http://www.cs.berkeley.edu/~necula/pcc.html\|[link\|http://www.cs.berkeley.edu/~necula/pcc.html\|http://www.cs.berke...ula/pcc.html]] [link\|http://www-2.cs.cmu.edu/~fox/pcc.html\|[link\|http://www-2.cs.cmu.edu/~fox/pcc.html\|http://www-2.cs.cmu.edu/~fox/pcc.html]] [link\|http://www.cs.princeton.edu/sip/projects/pcc/\|[link\|http://www.cs.princeton.edu/sip/projects/pcc/\|http://www.cs.princ...rojects/pcc/]]

Welcome to IWETHEY!