[kragen]

> it could pass bits of memory to the user land process

> by sharing a capability that gave it write access.

> Then the userland process could populate it,

> once it had finished and the kernel wanted to read it,

> they could revoke the the writeable permission.

> This would prevent this sort of attack [apparently,

> confusing auditors with TOCTOU attacks on system call arguments]

Virtual memory mapping hardware is already roughly a capability system. The CPU doesn't maintain a list of ownerships and permissions for every page of physical memory; it puts capabilities to those pages into page tables. That's how KeyKOS was able to run efficiently on stock hardware.

Capability systems are indeed better for security in several ways, but this isn't one of them. The problem here is that the memory page is shareable between different user threads. You can solve this problem in a variety of ways, including the one you suggest. However, unmapping the page that a system-call argument lives in before invoking an auditor does not constitute implementing a capability system.

To a great extent, it seems like the move toward web apps is exactly a move toward a different security model in order to reduce the maintenance the user has to do, a model in which most apps are fairly limited in their authority. The same-origin policy still falls far short of full POLA, but it's a step. The project in this area I'm most excited about is Caja, which is what MarkM's working on these days.

[Agent101]

I thought about mapping. Wouldn't you get into trouble if the section of memory still had to be readable during the time it is used by the kernel if you unmapped it? Or can you modify a read-write map to a read-only map? I'm just getting into windows internals.

Heh, I didn't know there were fellow people interested in keykos type stuff here. I'm fairly new to that and more interested in the 3rd thing you can do to reduce cost of ownership, having an adaptive computer background.

If you submit a link to caja here let me know and I'll upvote it. The cap-like stuff that the Marks were working on for delegating authority to web apps was also interesting. It does reduce the amount of maintenance the user has to do, they still have to pay for the web apps though, so depending upon the income of the user and cost of the service it might not reduce the total cost by much.