Manifest Safety and Security

Presented as part of the 2007 HCSS conference.

Abstract

This talk will focus on manifest security as a new architectural principle for secure extensible systems. Manifest security applies to extensible software platforms - software systems that can be customized by installing third-party extensions. The goal of manifest security is to address two fundamental problems in this domain, both stemming from the need to protect the platform from untrusted and potentially malicious extensions. Useful software extensions often require access to system resources or sensitive information, yet permitting unrestricted access opens the possibility for abuse. It is therefore necessary, first, to specify policies about what resources an extension may use and how it can handle sensitive data; second, the platform must also include an effective mechanism for enforcing such policies. The critical components missing from existing architectures are thus (1) a general, practical means for users to specify security policies about how extensions are permitted to behave, and (2) a way of determining whether a given extension (which may be malicious) actually meets the desired policy. Manifest security addresses both of these issues.