Seth Purcell | 6 Jul 01:55 2011

a capability-based OS for the web

Hello everyone,

 

I'd like to announce a forthcoming (free) capability-based operating system: Sitelier (pronounced like hotelier).

 

Sitelier is a distributed, capability-based operating system for the web that uses OpenPGP to link users with their apps and each other. The idea is to finally give people actual control over their online lives.

 

Basically, it manages a secure private website on which users can “install” web apps, which can then save their data on the user’s site, rather than on the web app’s servers. It also provides a globally unique (and portable) identity for each user in the form of PGP keys, and in the near future will let users easily “friend” each other for securely communicating or sharing. It doesn't run on the hardware directly; it's a user mode server written entirely in JavaScript (Node.js). It’s free and open source so you can host your site wherever you like.

 

In our view, the web right now is backwards: users have accounts on dozens of websites, all with their own logins and passwords, and our content and personal information is scattered all over the web, out of our control. Sitelier turns the situation around: when you install an app, you're effectively creating an account on *your* site for the app, which can then save its data (your data) there, so all your online information can live in one secure location that you control. It’s a simple idea with huge implications. For a start, launching an online banking app by clicking an icon as opposed to logging into a website eliminates the opportunity for phishing your banking password – there is no banking password. And vendors like Amazon would no longer need to keep your billing info on their servers, since the Amazon app can just get it from your site (assuming you’ve given them a read-billing-info cap). Once your order ships, they can drop the cap (or you can), and then even if they’re breached, your billing information isn’t compromised, because they don’t have it. I’m barely touching on the potential of the platform, but I think you get the idea.

                                                                                                                                                                                                                                            

Given what Sitelier is trying to do, we’re necessarily obsessed with security. We’ve tried to avoid making obvious mistakes, and we’ve tried to implement good ideas wherever possible: besides caps, you'll see petnames and petgraphics (for apps and contacts), decentralized trust (obviously), and TLS-PSK is coming (for app-kernel and kernel-kernel connections). But we’re not security experts; we’re just two good friends tackling an enormous engineering problem together. We could really use some help from people who actually know what they’re doing in this area.

 

So does this sound interesting to anyone? We’re doing a preview release today and will soon have a tarball of the kernel up on the website, along with installation instructions (you’ll need a world-routable machine if you want to try it). We’re also hosting a couple apps that anyone can install: a basic shell and a notepad app. The kernel source is online at https://launchpad.net/sitelier-kernel, and you can browse it there or branch it with bazaar. You can read more about the project at www.sitelier.com; there’s a lot of info about how it works under /docs.

 

Seth and Chris

_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
David Wagner | 6 Jul 03:38 2011
Picon

Re: a capability-based OS for the web

Some generic, shallow comments -

Main comment: Usability is key.  The biggest thing I would be doing
is usability experiments with users.

Quick, minor comment: I suggest that the Sitelier site (the "kernel
server"?) should use SSL/TLS sitewide, and should use HTTP Strict
Transport Security.  With sufficiently modern browsers, this will help
prevent some kinds of attacks (e.g., man-in-the-middle attacks when
using the Internet at Starbucks).

Minor comment: It's not clear why you need PGP.  You have a central site;
can't it manage trust itself?  What does OpenPGP bring to the table?

A derivative sounds a lot like a special case of what capability folks
call a facet.

Have you looked at Waterken, and its protocol for exposing services as
over HTTP via a RESTful capability-based interface?  Have you looked at
the Google Belay project [1]?

[1] https://sites.google.com/site/belayresearchproject/
Seth Purcell | 6 Jul 16:25 2011

Re: a capability-based OS for the web

Hi David,

Thanks for your comments, but it seems like you may have mistaken our
website (sitelier.com) for our project (Sitelier). The Sitelier kernel, like
the Linux kernel, is software anyone that can download from our site and run
on any server. The result is a decentralized network of sites, and this is
where PGP comes in. Our "central site" is for informational purposes only;
it is not the arbiter of any kind of identity.

We use PGP to provide decentralized identity for both users and apps. So if
you have a site and your colleague has a site, you can "connect" your sites
by adding each other as contacts, which basically just means swapping public
keys with each other, and now you can communicate and share securely.
Likewise with apps: when you install an app, you add its public key to your
keyring, and now you can share securely with the app.

As mentioned in the docs
(http://docs.sitelier.com/fundamentals/authentication.html), TLS is used
everywhere. Standard PKI is used where there's a browser involved, and in
the near future TLS-PSK will be used everywhere else (once Node.js pulls in
our TLS-PSK commits). Thanks for the STS tip, we'll look into that.

Seth

-----Original Message-----
From: cap-talk-bounces@...
[mailto:cap-talk-bounces@...] On Behalf Of David Wagner
Sent: Tuesday, July 05, 2011 9:39 PM
To: cap-talk@...
Subject: Re: [cap-talk] a capability-based OS for the web

Some generic, shallow comments -

Main comment: Usability is key.  The biggest thing I would be doing
is usability experiments with users.

Quick, minor comment: I suggest that the Sitelier site (the "kernel
server"?) should use SSL/TLS sitewide, and should use HTTP Strict
Transport Security.  With sufficiently modern browsers, this will help
prevent some kinds of attacks (e.g., man-in-the-middle attacks when
using the Internet at Starbucks).

Minor comment: It's not clear why you need PGP.  You have a central site;
can't it manage trust itself?  What does OpenPGP bring to the table?

A derivative sounds a lot like a special case of what capability folks
call a facet.

Have you looked at Waterken, and its protocol for exposing services as
over HTTP via a RESTful capability-based interface?  Have you looked at
the Google Belay project [1]?

[1] https://sites.google.com/site/belayresearchproject/
_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Thomas Leonard | 12 Jul 14:46 2011
Picon

Re: Capability modelling tools

On 26 April 2011 20:25, Ankur Taly <ankur.taly <at> gmail.com> wrote:
> Hi Thomas,
>
> I along with Mark Miller, Jasvir Nagra and Ulfar Erlingsson worked on a tool
> ENCAP for
> automatically verifying confinement properties of JavaScript(JS) APIs. From
> your
> description it seems that ENCAP may be useful to you.
[...]
> You can  take a look at the associated paper for all the the technical
> details:
>
> http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf
>
> If you want to play with the tool then I can send that to you as well.
> The description in the paper with JavaScript oriented but the main technique
> should be applicable to other languages as well.

Is the tool available yet? I would like to have a look at it.

Where did you find documentation for http://bddbddb.sourceforge.net? I
couldn't work out how to use it, and the mailing list seems to contain
only posts from equally confused people, with no answers.

> On Tue, Apr 26, 2011 at 2:17 AM, Thomas Leonard <talex5 <at> gmail.com> wrote:
>>
>> Hi all,
>>
>> I'm doing a bit of modelling work at the moment, looking to see how
>> capabilities may propagate through a system, and the effects of
>> various components being compromised, etc. I found the Scollar and
>> Authodox tools for this, but they didn't quite fit what I wanted to
>> do.

>>  http://www.serscis.eu/releases/docs/sam-0.1/
>>
>> It currently only runs on Linux, but hopefully Windows will be
>> supported in the next release.

Note: it now supports Windows too. The latest version is here:

http://www.serscis.eu/sam/

--

-- 
Dr Thomas Leonard        http://0install.net/
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDA  BD8E 0713 3F96 CA74 D8BA

_______________________________________________
cap-talk mailing list
cap-talk <at> mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
Ankur Taly | 14 Jul 07:53 2011
Picon

Re: Capability modelling tools



On Tue, Jul 12, 2011 at 5:46 AM, Thomas Leonard <talex5 <at> gmail.com> wrote:
On 26 April 2011 20:25, Ankur Taly <ankur.taly-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hi Thomas,
>
> I along with Mark Miller, Jasvir Nagra and Ulfar Erlingsson worked on a tool
> ENCAP for
> automatically verifying confinement properties of JavaScript(JS) APIs. From
> your
> description it seems that ENCAP may be useful to you.
[...]
> You can  take a look at the associated paper for all the the technical
> details:
>
> http://www-cs-students.stanford.edu/~ataly/Papers/sp11.pdf
>
> If you want to play with the tool then I can send that to you as well.
> The description in the paper with JavaScript oriented but the main technique
> should be applicable to other languages as well.

Is the tool available yet? I would like to have a look at it.

Where did you find documentation for http://bddbddb.sourceforge.net? I
couldn't work out how to use it, and the mailing list seems to contain
only posts from equally confused people, with no answers.

Hi,

The tool isn't packaged in a ready-to-use form but I can help you set it up.

Regarding bddbddb, I struggled a bit with the lack of documentation as well.
I downloaded the tool and learned how to use it from the example files.
There is also an interactive version that was quite useful. The corresponding class
file for interactive version is in the sub-directory net/sf/bddbddb/ of the main Bddbddb folder.

You can also take a look at some of John Whaley's papers for the technical details
 of bddbddb.
http://suif.stanford.edu/~jwhaley/

Hope this helps,
Ankur.


> On Tue, Apr 26, 2011 at 2:17 AM, Thomas Leonard <talex5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>> Hi all,
>>
>> I'm doing a bit of modelling work at the moment, looking to see how
>> capabilities may propagate through a system, and the effects of
>> various components being compromised, etc. I found the Scollar and
>> Authodox tools for this, but they didn't quite fit what I wanted to
>> do.

>>  http://www.serscis.eu/releases/docs/sam-0.1/
>>
>> It currently only runs on Linux, but hopefully Windows will be
>> supported in the next release.

Note: it now supports Windows too. The latest version is here:

http://www.serscis.eu/sam/


--
Dr Thomas Leonard        http://0install.net/
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1
GPG: DA98 25AE CAD0 8975 7CDA  BD8E 0713 3F96 CA74 D8BA

_______________________________________________
cap-talk mailing list
cap-talk-r2jiIPW7MOYEUp5O9OQuKg@public.gmane.org
http://www.eros-os.org/mailman/listinfo/cap-talk

_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
Kevin Reid | 20 Jul 19:47 2011

Apple goes least-authority: “Lion” has a powerbox.

They even called it a powerbox.

> “Apple has chosen to solve this problem by providing heightened permissions to a particular class of
actions: those explicitly initiated by the user. Lion includes a trusted daemon process called Powerbox
(pboxd) whose job is to present and control open/save dialog boxes on behalf of sandboxed applications.
After the user selects a file or directory into which a file should be saved, Powerbox pokes a hole in the
application sandbox that allows it to perform the specific action.”

— Ars Technica's Mac OS X review
  <http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9>

(This is in the context of applications which are explicitly marked "sandboxed", with a static
"entitlement" of permanent authority.)

It probably ain't capabilities (no bundling of designation of the resource with authority to access it,
unless they've replaced file pathnames, which I doubt), but it's a big step in a good direction.

--

-- 
Kevin Reid                                  <http://switchb.org/kpreid/>
Ivan Krstić | 20 Jul 22:41 2011
Picon

Re: Apple goes least-authority: “Lion” has a powerbox.

On Jul 20, 2011, at 10:47 AM, Kevin Reid wrote:
> They even called it a powerbox.

I thought you lot might enjoy that.

> It probably ain't capabilities (no bundling of designation of the resource with authority to access it,
unless they've replaced file pathnames, which I doubt), but it's a big step in a good direction.

The implementation uses actual capabilities under the hood.

--
Ivan Krstić <krstic <at> solarsail.hcs.harvard.edu> | http://radian.org

_______________________________________________
cap-talk mailing list
cap-talk <at> mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
Marc Stiegler | 21 Jul 00:00 2011
Picon

Re: [friam] Apple goes least-authority: “Lion” has a powerbox.

Cool. At one point, an HP lawyer asked me if "powerbox" was a "term of
art". Now I can say yes :-)

--marcs

On Wed, 2011-07-20 at 10:47 -0700, Kevin Reid wrote:
> They even called it a powerbox.
> 
> > “Apple has chosen to solve this problem by providing heightened permissions to a particular class of
actions: those explicitly initiated by the user. Lion includes a trusted daemon process called Powerbox
(pboxd) whose job is to present and control open/save dialog boxes on behalf of sandboxed applications.
After the user selects a file or directory into which a file should be saved, Powerbox pokes a hole in the
application sandbox that allows it to perform the specific action.”
> 
> — Ars Technica's Mac OS X review
>   <http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9>
> 
> (This is in the context of applications which are explicitly marked "sandboxed", with a static
"entitlement" of permanent authority.)
> 
> It probably ain't capabilities (no bundling of designation of the resource with authority to access it,
unless they've replaced file pathnames, which I doubt), but it's a big step in a good direction.
> 
> -- 
> Kevin Reid                                  <http://switchb.org/kpreid/>
> 

_______________________________________________
cap-talk mailing list
cap-talk <at> mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk
Ben Kloosterman | 22 Jul 07:01 2011
Picon

Re: [friam] Apple goes least-authority: “Lion” has a powerbox.

I recently noted the Silverlight  runtime (Microsofts flash product) has been doing this for a few years ,
when they added support for opening local files . All the string based file APIs in the .NET framework are
not in Silverlight  but they added some which work through popping up a file dialog and the users specifying
the file. 

Ben

> -----Original Message-----
> From: cap-talk-bounces <at> mail.eros-os.org [mailto:cap-talk-
> bounces <at> mail.eros-os.org] On Behalf Of Marc Stiegler
> Sent: Thursday, July 21, 2011 6:01 AM
> To: friam <at> googlegroups.com
> Cc: General discussions concerning capability systems.
> Subject: Re: [cap-talk] [friam] Apple goes least-authority: “Lion” has a
> powerbox.
> 
> Cool. At one point, an HP lawyer asked me if "powerbox" was a "term of art".
> Now I can say yes :-)
> 
> --marcs
> 
> 
> On Wed, 2011-07-20 at 10:47 -0700, Kevin Reid wrote:
> > They even called it a powerbox.
> >
> > > “Apple has chosen to solve this problem by providing heightened
> permissions to a particular class of actions: those explicitly initiated by the
> user. Lion includes a trusted daemon process called Powerbox (pboxd)
> whose job is to present and control open/save dialog boxes on behalf of
> sandboxed applications. After the user selects a file or directory into which a
> file should be saved, Powerbox pokes a hole in the application sandbox that
> allows it to perform the specific action.”
> >
> > — Ars Technica's Mac OS X review
> >   <http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/9>
> >
> > (This is in the context of applications which are explicitly marked
> > "sandboxed", with a static "entitlement" of permanent authority.)
> >
> > It probably ain't capabilities (no bundling of designation of the resource
> with authority to access it, unless they've replaced file pathnames, which I
> doubt), but it's a big step in a good direction.
> >
> > --
> > Kevin Reid                                  <http://switchb.org/kpreid/>
> >
> 
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk <at> mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

_______________________________________________
cap-talk mailing list
cap-talk <at> mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

Gmane