background:
. the typical example of mistaken expectation
is when an url acts like a script .
. many apps have input limitations
such as when a browser treats certain url's like scripts .
. a commandline could be given what you think is a filename
but because of expectations about filename limitations
a filename can be interpreted as a series of commands .
. this wouldn't happen if unix had
a common abi (app'binary interface);
because, instead of passing the file's name as text
(a form of screen scraping)
it could be passing an obj type-tagged as a filename
and then filename limitations become irrelevant .
4.15?: news.cyb/sec/qubes/Qlipper:
Larry McCay April 15, 2011 2:52 AM`
comment on [The Invisible Things Lab's blog]/
A Qlipper app could be introducedJoanna @Larry:
to sanitize and add the appropriate context.
Sanitizing makes sure
what you copied is what you expected
and the context is used to
direct within the target Qubes domains.
. a "sanitizer" must know the limitations of the destination app... .--
. this is another example of why an abi
is needed:
. what qubes has to do to get vm's communicating
is for each os to support a clipboard
that qubes can translate to a file
that is then sent over the intranet .
. an os's clipboard is understood as
supporting certain data types
with a certain type-tagging convention .
. if qubes has to understand all this anyway
it already does sanitizing by matching types [5.18:
(though it could help by checking for
malformed html and illegal unicodes); ]
but, because os's don't provide a common abi,
they are reduced to supporting only
some common text-based standards
like ascii, unicode, or html [5.18:
whereas, a common abi would also support
a binary version of a complete programming lang',
meaning that instead of just being text,
the code was parsed into a syntax tree;
and native functions were represented by codes
that are read more quickly than text .
. and,
when copying abi code from the pasteboard,
dom0 would be able to read and understand
the implicit capabilities of that code .]
. without an abi, qubes must have
apps communicating via a screen scraper;
but that's ok, because,
the whole point of security by isolation
is that we can never expect to
completely protect app's from being
hung by their own naivety;
what we can do is protect good apps
from being hung by bad ones .
No comments:
Post a Comment