2011-05-30

standard abi's motivation

5.18: addx/standard abi/motivation:
background:
. the typical example of mistaken expectation
is when an url acts like a script .
. many apps have input limitations
such as when a browser treats certain url's like scripts .
. a commandline could be given what you think is a filename
but because of expectations about filename limitations
a filename can be interpreted as a series of commands .
. this wouldn't happen if unix had
a common abi (app'binary interface);
because, instead of passing the file's name as text
(a form of screen scraping)
it could be passing an obj type-tagged as a filename
and then filename limitations become irrelevant .

4.15?: news.cyb/sec/qubes/Qlipper:
Larry McCay April 15, 2011 2:52 AM`
comment on [The Invisible Things Lab's blog]/
A Qlipper app could be introduced
to sanitize and add the appropriate context.
Sanitizing makes sure
what you copied is what you expected
and the context is used to
direct within the target Qubes domains.
Joanna @Larry:
. a "sanitizer" must know the limitations of the destination app... .
--
. this is another example of why an abi
is needed:
. what qubes has to do to get vm's communicating
is for each os to support a clipboard
that qubes can translate to a file
that is then sent over the intranet .
. an os's clipboard is understood as
supporting certain data types
with a certain type-tagging convention .
. if qubes has to understand all this anyway
it already does sanitizing by matching types [5.18:
(though it could help by checking for
malformed html and illegal unicodes); ]
but, because os's don't provide a common abi,
they are reduced to supporting only
some common text-based standards
like ascii, unicode, or html [5.18:
whereas, a common abi would also support
a binary version of a complete programming lang',
meaning that instead of just being text,
the code was parsed into a syntax tree;
and native functions were represented by codes
that are read more quickly than text .
. and,
when copying abi code from the pasteboard,
dom0 would be able to read and understand
the implicit capabilities of that code .]
. without an abi, qubes must have
apps communicating via a screen scraper;
but that's ok, because,
the whole point of security by isolation
is that we can never expect to
completely protect app's from being
hung by their own naivety;
what we can do is protect good apps
from being hung by bad ones .