NetAlive's security mechanism needs a wide-range of settings because NetAlive can create several different types of applications. At one extreme, NetAlive can erect a formidable security barrier when used as a browser to run applications from untrusted sites. Yet with different security settings a NetAlive application can reformat disk drives on remote computers under control of a systems administrator.
There are two dimensions to NetAlive's security system. First, NetAlive can use languages with different security properties. Second, NetAlive's configuration gives each language a different security setting. The screen below shows NetAlive's security system. The languages known to this system appear in the center. The security setting for each language appears on the right.
NetAlive's extensible language system provides one dimension of security. NetAlive does not have hard-coded language support, but instead uses site-specific configuration information and a general algorithm. The configuration information tells NetAlive the name of the interpreter, compiler, command-line options, etc. for each language. Notice that the standard configuration shown above includes two Perls: language "Perl" runs the standard insecure Perl interpreter and language "SecurePerlServer" runs a different interpreter from which all potentially harmful system calls have been removed.
Judicious extension of NetAlive's language support lets the developer make use of security developments that appear in the industry periodically. The developer simply creates a new language using the new interpreter, compiler, or command-line options.
NetAlive's second dimension is a security setting for each language. The settings "enable" and "disable" are self-explanatory given the paragraph above. However, the setting "security server" is NetAlive's implementation of traditional security. Traditionally a "person-in-charge" checks the reputation of a program's developer, tries the software, etc. before making a judgement about whether to install a program. With NetAlive, there can be a server containing NetAlive modules approved by such traditional means. When a language is in "security server" mode, NetAlive will get modules from the security server regardless of where the application's source.
The paragraphs below describe different types of NetAlive applications and outline a strategy for security settings:
NetAlive used as a browser for applications on untrusted sites. Enable languages where inherent built-in security prevents alteration of local disk (such as Secure Perl or Java Applets). Set insecure languages (such as plug-ins) to "security server" and load it with modules known not to alter local disk.
NetAlive applications used as conventional applications (such as a word processor). Enable interpreted languages (such as Perl and general Java). Set insecure languages (such as plug-ins to "security server" and load it with all the modules referenced by users' programs.
NetAlive used as a Network Integrated Development Environment. Enable all languages. This will cause compiled languages (such as plug-ins) to be supplied as source code and compiled on the local hardware before running.
The SecurePerlServer language can be compared to Perl Safe extensions (sorry, no reference) and Penguin. The Perl Safe extensions put a restriction on the functions that Perl will execute in a program. Depending on the settings, a Perl script can have full capabilities to affect the system, or none, or anything in between. The Secure Perl Server differs in that all potentially damaging functions have been completely removed and cannot be enabled under any circumstances. The Penguin system extends upon Safe Perl with a cryptographically-secure authentication system. Again, the Secure Perl Server differs in that it is permanently disabled. The Perl Safe extensions and Penguin are interesting technologies that may be incorporated into a future version of NetAlive.
For reference, the meaning of each security state is described below.
|Next Section||Previous Section||Parent Document|
|This is part 3 of a 5 part document:|
|This document was referenced from:|