2010-06-30

NetVM and cap'based security

6.19: addx/security/vmnet and cap'based:
Joanna Rutkowska Jun 17, 2010 at 4:53 AM
qubes-devel@googlegroups.com
"(you might not have VT-d working,
in which case you would not benefit from
additional security provided by sandboxed NetVM, ...)
. how could this NetVM idea
merge with cap-based security?
. with very fast switching
every app could have virtual access to
every other component .
. of these connections, you could
watch or log them, stop them,
or undo them by allowing only
virtual access (not modifying the
original object, but some mirror)
. the reason we need L4 [hypervisor]
is to reuse untrusted wares
and to have cooperation among
the mutually distrusting .
. ok L4 is a great platform because
it can act as a microkernel too .
. need to see how that means the
face changes for app dev's
-- is it just good news for sys' eng's?
. even without having L4 as an os,
the process-isolating architectures
like seL4 and Microsoft's Singularity
can still be useful as part of an
app framework that can give app dev's
more confidence in their own wares .
[6.24: ie, the basic stack has been:
(basic OS providing common lib's,
between hardware, and apps)
and then in addition to the basic OS,
there could be a security layer
provided by an app framework OS .]
[6.30: L4 vs seL4:
seL4 adds cap'based security to L4 .]

6.20: addx/seeing the light:
[6.30: todo: prove this!]
. it can seem rather pointless
trying to develope a secure app
on an insecure OS;
but for personal use, at least,
there can be security if
all the apps use that framework .
. even if you can't find hardware
that is designed for okL4 (open seL4)
it could help to have an app framework
that is based on an seL4 .

addx/security/what's needed on secure platform:
6.21:
. after seeing this googlecode blog
I was thinking about how to include
cap'based security .
6.27:
. chrome os already has good
separation between app's,
but what is that allows a browser
to rifle through your files
after hitting the go-away button?
has chrome browser really fixed that?
[6.30:
I've not had this problem on Chrome yet;
but what is "(sandboxed) mean
if it's so easy to steal my permission? ]
. if the guard is finally here,
then the only needed
cap'based permissions would be
the design of an app like addx
that is a scripting environment .