A secure environment for Untrusted Helper Apps Ian Goldberg, David Wagner, et al Summary: Janus contains untrusted helper applications by interposing on a subset of application system calls. The benefits of this approach are: - It works at user-level; no kernel hacking - Can impose per-application protection constraints; allows us to implement the principle of least privledge. - Relatively simple and straightforward implementation. Simple is good. The drawbacks of this approach are: - System call monitoring seems unscalable (~3400 system calls in NT4) - Janus seems to assume that system calls are implemented correctly. Or, at least that bogus application inputs will be trapped by Janus. - Writing policy is hard, and Requires intimate knowledge of application semantics. - No way to force users to use Janus. In the security parlance, there isn't a chokepoint in this system. - The authors only consider sample applications with few required privledges. Sophisticated applications would require more complex policies, which are more likely to be wrong. No way to verify policies. - This paper implictly assumes that the application is the security principal. I could see cases where different users (i.e., administrator versus common user) should have different security policies for the same application. This complicates things even more. - Could the "correct" security policy change over time as devices are added and removed? Also, could the security policy be different for different users? Bottom line: Janus could work in theory, but in practice expressing security policy is extremely difficult.