[4731] in WWW Security List Archive
No Such Thig as Trusted Code (was: RE: Latest Java hole is...)
daemon@ATHENA.MIT.EDU (Bob Denny)
Sun Mar 9 14:03:17 1997
From: "Bob Denny" <rdenny@dc3.com>
Date: Sun, 9 Mar 1997 09:59:36 -0800
In-Reply-To: schemers@stanford.edu
"RE: Latest Java hole is Netscape/Sun only" (Mar 8, 22:24)
To: schemers@stanford.edu
Cc: "'WWW Security List'" <WWW-SECURITY@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mar 8, roland <schemers@stanford.edu> wrote (among other things):
> Unfortunately there is no such thing as "trusted" code.
This is precisely the point. Thank you.
> Programmers will always make mistakes, and when writing in a language like
> C/C++ there are plenty of ways to exploit those mistakes.
Yes, and this is the crux of the other giant flaw in the component software
religion as implemented by both ActiveX and Java. There is no way to know what
bugfixes are present in the components your customer uses with your
application. Just because they are interface-compatible does not mean that the
customer-supplied copmponent will work with your application. This is an
extension of the all-too-familiar "DLL Hell" so familiar to Windows users
already.
> How are you going to identify some ActiveX compoment that sets a timebomb
> that at some point in the future deletes your [w]hole harddrive? Or changes
> something in the registry that loosens system security in other ways? Or
> makes your modem dial some 1-900 number?
Yes... more to the point, how does the *signer* know that the component is
trustworthy? I'd like to see the process that Microsoft goes through before
it signs a CryptoAPI provider! Is Microsoft actually taking responsibility for
the safety of that CAPI provider? If so, I hope they have set aside a large
warchest for liability lawsuits.
It should be blindingly obvious that the code signer's identity is assured by
the CA that signs the signing-cert, and that the component author's identity
is assured by the code signer (which may even be the author). Nowhere does the
word "trust" appear. It cannot, or the CA's would be unable to operate, as
they would be exposed to an infinite number of liability lawsuits. Oh, well, I
guess they could charge $10,000 per cert, to cover liability insurance :-) Uh,
and add in the costs of the background checks for everyone they issue a cert
to... see what I mean?
> I also think that a capabilities-based-trust model extends well beyond
> downloading code over the network. It could/should be applied to
> all applications you run.
That's why all real operating systems have this capability in one form of
another. In the abstract, this "assertions-capabilities" model applies to all
security systems, not just those used on computers. Think about physical
security systems in offices, homes, factories. There are varying levels of
access/privileges given the identity of the person or agent.
It's fundamental.
-- Bob
