<div dir="ltr"><div class="gmail_quote">On Sun, Jun 26, 2011 at 10:24 AM, Oleg Goldshmidt <span dir="ltr"><<a href="mailto:pub@goldshmidt.org">pub@goldshmidt.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br></div>
It's a tough problem. It is a lot more difficult than AV since you<br>
want to prevent essentially arbitrary data from leaking, not just data<br>
that may damage another machine.</blockquote><div><br></div><div>I don't think preventing data leak is a problem here, or generally speaking. The problem is, you can't verify from the first place what you do and what you don't want to send.</div>
<div><br></div><div>For instance, if we assume that there's a certain trusted computer, where he composes arbitrary files marked as "safe", it is trivial to send those files without extra information. Let the trusted computer sign this file, and you're safe. No one can inject any other information as long as you've verified the signature. The only problem is, verifying the signature (or actually conducting any other computation securely) in a hostile environment, for which there are solution.</div>
<div><br></div><div>The problem here is, no one knows what's safe to send and what's secret. (Either that, or ALL computers are hostile). So the adversary is giving you a file with some information visible and some hidden, and you need to change it so that only the visible information remains. Now this is tough. The adversary can take advantage of any non-deterministic data structure in the file he gives. Heck, he can change the order of the inodes in a certain directory (at least in some file systems).</div>
</div></div>