A completely different approach is also possible, and has been pioneered by
Bitfrost[10]7, the security system for the XO8. In this the idea is that some
operations are safe if they are not combined with others.
For example, it is safe to read files if you cannot communicate on the network.
Conversely it is safe to communicate on the network if you cannot read local
files. The threat model here is that the user’s privacy might be compromised
if both operations are allowed, but either one in isolation cannot expose their
secrets.
In the Bitfrost model a program can ask for a set of capabilities and if they
are a “safe” combination the system will grant them without user intervention.
Alternatively, the user can be presented with a set of mutually exclusive safe
options (e.g. “allow file access” vs. “allow network access”) and can choose the
appropriate one for the task at hand.
Although Bitfrost is the more widely known implementation, this approach
was actually pioneered by the experimental CapDesk[16] system.
No comments:
Post a Comment