Sandboxing with Odysseus & the Googleators

There is something powerful and compelling in a good challenge. In principle, many complex challenges have simple solutions. There are three types of solutions to challenges, the first type of solution is the cunning, cerebral type – it is usually based on the premise that wisdom and experience will eventually trump power and authority. There is a Russian folktale about a simple, honest man who worked as a ranger for a cruel King. When the ranger married a beautiful, magical princess, the King became jealous and sent the ranger on a series of challenges, each of which was more dangerous than the previous one. The ranger fulfiled each of the challenges with the help of his beautiful, wise wife. Finally, the King ordered his ranger -“go I know not where and bring back what I know not.”  The ranges did as he was told with the help of his wife – he went to a country he’d never seen before and returned with an invisible servant who can fulfil one’s wishes in a flash. In the process, the ranger also got rid of the cruel King and became a kind, benevolent ruler. 

The second type of solution is strategic, it assumes that there is a systemic way of resolving challenges by figuring out principles that allow us to solve challenges successfully. Louis Pasteur’s development of the first vaccines, for example, was a strategic response to his observation of systems in microbiology, bacteriology, and virology. 

Sometime ago, I ToingToing!ed about Robert Axelrod’s study of the defection / cooperation axis, and his pioneering work around an iterative game called the Prisoner’s Dilemma. The challenge posed by Axelrod was complex: he invited people to write and submit computer programs that would interact with similar computer programs in simulating choices of cooperation vs. non-cooperation (‘desertion’) – with the last program remaining wins the challenge. It is now a known fact that Canadian mathematician and psychologist Anatole Rapoport won the competition several years in a row using his TIT-FOR-TAT program. The TIT-FOR-TAT strategy was ingeniously simple: it always cooperated on the first move, and then made the same choice as the other player did on the previous move. This cooperation-biased strategy has been a consistent winner against other strategies, including itself. Rapoport‘s TIT-FOR-TAT offers a strategic solution to a systemic challenge. 

The third type of solution assumes that every structure, no matter how formidable and solid, has a flow. Troy – one of the world strongest, most impenetrable fortresses was reduced to ashes after years of unsuccessful siege, when the besieging forces learned and understood the mindset of the besieged. The Trojan’s were brave, imaginative, advanced and skilful. Their city’s ramparts have never been breached. They watched the enemies’ frustration growing over ten years of siege – and grew confident in their ability to withstand military pressure.  According to the Odyssey, the Greek hero and military genius Odysseus (a.k.a. Ulysses) realised that it is possible that the Trojans would believe that the Greek have accepted defeat and left the scene where they endured ten years of humiliation. His solution to the Trojan challenge was simple – find a way for the Trojans themselves to allow the Greeks entry into their city. The rest was left to a single Wooden Horse. Commenting on the way the war ended, classical Roman poet Virgil said: “Who asks whether the enemy were defeated by strategy or valor?” 

Pwn2Own contests look for cracks in various technological platforms and applications. Their work can be described as benevolent hacking, because it aims to find flows that may be used by malevolent hackers. According to Wikipedia, the term Pwn2Own is “derived from the verb “own“, […] as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet gaming culture to taunt an opponent who has just been soundly defeated (e.g. “You just got pwned!”).” To many, Pwn2Own hackers are the modern equivalents to the epic heroes who go out to foil the monsters and save the day.

A recent Pwn2Own browser security contest was held in Vancouver, Canada, as part of the 2017 CanSecWest, the world’s most advanced conference focusing on applied digital security. News coming out of the P2O killing fields were earth shattering: – security researchers (our Pwn2Own benevolent hackers) had no problem cracking Firefox, Safari, and Internet Explorer wide open, but (and here comes the drum roll) remained on the outside of Google Chrome’s walls, unable to crack it open.  According to ArsTechinca, “Security researchers attribute the strength of Google’s browser to its sandbox design.”

The Googleators who designed Chrome approached the security challenge by building on Odysseus’ logic – they, too, realised that malevolent intruders can access computers through weaknesses in the ‘permission’ mechanism – the section/s of computer-systems with the power to allow or deny access to the computers.  While other systems concentrate on identifying malevolent software as such and denying it access, the Google Chrome Sandbox simply disconnects browser processes from the rest of the machine by controlling – and denying – those processes permission to act outside the sandbox. Attackers cannot access other resources because they cannot ‘see’ them.  (Here is a detailed, somewhat technical description of Google Sandbox.)

The ongoing battle between our heroes and the villains they try to hunt down is the stuff that launched a thousand movies. But what can we learn – past technology and the worship of cinematic characters – by sandboxing with Odysseus’ and the Googleators?

The global idea behind the sandbox is the creation of a virtual area of activity that is safe because it virtual. It allows and denies access to a host of objects – from the irritating to the dangerous. A crucial area of need is one’s daily communication payloads, the ideal information sandbox acts as your personal assistant, bouncer, bodyguard and spin doctor – all in one.  Here are a few areas of promising developments on the way to the ultimate information sandbox:

  • Email missives are arranged in conversations, and conversations are made out of threads. An interesting application to observe in this area is Xobni (Inbox spelled backwards), an Outlook extension that indexes your email on the fly and allows you to search your email and analyse link conversation (who is your number one reader, who writes most email to you?) Xobni can also link your contacts (including email communication you have with them) to their external profiles – FaceBook, Linkedin, Twitter etc.
  • Your reading interest, from music choice to weather reports, sports news to stock exchange, movies shown in your area to news – can be linked to through RSS feeds and read through feed readers like Google Reader – an application that is seamlessly linked to other Google facilities, such as Google Email and Google Alert.
  • Be alerted You can subscribe to an automatic, superfast ‘clipping service’ – or Alert that notifies you periodically when topics you are interested in (politics, your favourite football club, your area/s of research and scholarship, your blog, your job or company) appear anywhere online. Google Reader handles alerts beautifully, but I have been using for many years another service that is named Google Alert even though it is an independent enterprise.

It is becoming clear that many software designers have already been developing with the information sandbox metaphor in mind.

Contribute to ToingToing!