> file. Another potential policy would be to restrict a documents
> macros to the document itself. The idea has merit.
Another would be to have the primitive "open file for writing" always
present the user with a file selection dialog (browser). The mechanism
Safe Tcl uses is that there is no open file primitive. File opening is
handled outside the secured interpreter and open files are passed in
at the direction of the surrounding application.
> All levels are attackable -- that's why we need more than one.
> Believe me I wish the most popular desktop OS's were secure. I
> recently posted to sci.crypt an article entitled "castles in the
> clouds" pondering if encryption were ultimately useful without the
> foundation of securing the workstation.
I don't read that group. I'd be interested in seeing this article if
you don't mind sending me a copy.
> I'd like to say "run only signed applets running in a VM running in a
> sandbox on a secure server", but I can't point to a commercial
> implementation. Perhaps a UNIX browser running chrooted or on a
> secure UNIX -- but most users want PC's
Chroot isn't good enough because network access doesn't go through the UNIX
security layer (the file system).
Personally I'd like to extend the client-server model into my PC. So my word
processor would accept already opened files from the browser, and talk to my
display server, and my file server and so on, through similar channels. So if
you wanted to create a "jail" you'd simply start up the word processor with
a proxy between it and the file system or between it and the real file
system, and let the proxy implement whatever policy it wanted.
The big problem is that the communication channels would need to be simple
enough to encourage the development of proxies by hobbyists, with a relatively
small number of messages and an ability to test-drive an interface easily
without breaking everything. The Amiga operating system did a pretty good
job of this, but it had absolutely no security so an application could go
around it with little trouble. Plan 9 is an interesting model, too, but of
course it doesn't play well in single computers.