From the Glossary:
The protection domain is a subset of the software, and its data, that runs on some platform.
Properly crafted code with a protection domain all to itself can ensure its own integrity and behavior, subject to the platform maintaining its own integrity.
Only a few platform designs can provide suitable protection domains and there is much controversy over precise meanings; there is, however a broad consensus.
One of the controversies is how protection domains should arise and be able to interact.
This definition is vague on the notions of protection domain and platform.
We exploit that vagueness here.
This paper: The Security Architecture of the Chromium Browser describes the Chrome browser as providing two protection domains, the web and the user’s machine.
Vulnerabilities in the web savvy browser code will not, by them selves, lead to abusing the user’s authority, except possibly with other web sites.
The Keykos domain is a protection domain in this sense and constitutes what I see as the ideal protection domain.
Some languages support patterns wherein program constructs can achieve the purposes of protection domains by relying on scoping rules and such.
Object Views: Fine-Grained Sharing in Browsers
Questions on The Security Architecture of the Chromium Browser:
I hope that the “multiple instances” in “The browser kernel is responsible for managing multiple instances of the rendering engine” are unable to communicate with each other except by principled means.
That is consistent with stated security goals, but not other considerations.
Chromium uses a separate instance of the rendering engine for each tab that displays content from the web, providing fault tolerance in the case of a rendering engine crash.
The plug-in situation is vexatious.
Whenever the rendering engine attempts to access a “securable object,” the Windows Security Manager checks whether the rendering engine’s security token has sufficient privileges to access the object.
This sounds like access lists and permissions!
I need to find definition of “security token”, “Windows Job Object” and AdjustTokenPrivileges in the Windows context.
For example, if a user mounts a USB thumb drive that uses FAT32, a compromised rendering engine can read and write the contents of the drive.
This means that any mounted FAT32 system is an ambient authority.