Ihab - Thanks so much for this thoughtful reply. I'm still digesting bits of it, but I think I'm mostly following what you are talking about with the microkernel architecture. I've been following along a little bit with the "securable modules" stuff too you all have been talking about which has been interesting.
On Thu, Jul 16, 2009 at 11:14 AM, <[email protected]> wrote: > > To add to Ben's points -- > > On Thu, Jul 16, 2009 at 9:05 AM, Ben Laurie<[email protected]> wrote: >> Not necessary, but it might reduce your exposure to attacks if you >> cajole as much as possible - that's unlikely to be all of it, though. >> ... >> The workspace has to know about Caja to the extent that it wants to >> expose functions it provides to cajoled script. Other than that, you >> are correct. > > I think it depends on a couple of issues: > > 1. If you have a large existing codebase you plan to make part of the > "container" page, and that codebase is not well-suited to cajoling for > some reason, then you may want an un-cajoled container with cajoled > gadgets. If you are building your container from scratch, you might > want to consider the microkernel approach (described below...). > > 2. If your gadgets are pretty strictly isolated from the container > state, and if cajoling the container would be expensive for you, then > you will not see a huge return on your additional investment in time > to cajole the container. However, if the container shares a bunch of > state with the gadgets, cajoling the container would give you a bunch > more confidence that this interaction with the (untrusted) gadgets is > secure. > > Ideally, we in Caja land would love to see people build containers > that *are* tightly coupled with their gadgets; in other words, the > gadgets are "plugins" to the container functionality in a rich sense. > After all, sharing convenient, direct, fine-grained object references > under mutual suspicion is precisely what the capability security model > underlying Caja enables so well. > > To that end, the *ideal* architecture is a "microkernel" where some > startup code loads cajita.js, domita.js and a bunch of other support > files, initializes a bunch of simple capabilities (e.g., a capability > to "load a new gadget" from the network), then fires up a root module > that accepts these capabilities and deals with managing the isolation > -- *and* communication -- between the gadgets. In this situation, the > root module acts as a "powerbox" as described here -- > > http://wiki.erights.org/wiki/Powerbox > > Taming un-cajoled code to communicate safely with cajoled code is a > brittle process. The fact that the powerbox would be written in a > capability safe language would be a great help to it in safely > divvying up the authorities it has with less worries about > vulnerabilities. > > Ihab > > -- > Ihab A.B. Awad, Palo Alto, CA >
