[cap-talk] What are caps good for?

[Valerio Bellizzomi]

On 06/05/2004, at 18.07, Jed Donnelley wrote:

>At 02:58 PM 5/5/2004, Jonathan S. Shapiro wrote:
>>One way to summarize the conversation to date is that misuse of
>>authority by hostile programs cannot be restricted -- not even by
>>restricting capability transfer (because of proxy behavior). This
>>summary is, of course, "mechanism neutral." It is equally true for every
>>protection mechanism we know about (not just capabilities). If true,
>>however, it suggests that one of my key arguments for capabilities --
>>confinement -- has been largely specious. It also suggests that
>>restricting the transfer of overt authority so that it must occur over
>>authorized channels provides a very limited guard (if any) against
>>hostile behavior.
>
>Hurray!  Yes.  I may still be in a minority in this thinking, but I
>do believe that if the above reasoning is accepted then many
>simplifications in rights communication are possible that will
>make POLA access much more achievable.  However, regarding:

Capabilities *are* a simplification of ACLs, at least from the viewpoint of
system administration. We discussed that in past threads on the difficulty
of managing ACLs in large installations.


(snip)

>>1. NON-DISCLOSURE
>>
>>Let us begin by noting that authority and information disclosure is only
>>one of the threats we face. In my opinion, in the real world, it isn't a
>>very interesting problem for civilian systems -- or even for most
>>military systems.
>
>I tend to agree.
>
>>In actual practice, we don't get attacked by commercial software. It
>>isn't Windows or Word that is out to get you [I'll deal with penetration
>>and scripts below in section 2].
>
>Hmmm.  I'm not sure I agee with the above.  Word's macros are
>notorious.  I am afraid to open any Word document that I receive
>with Word.  I generally use Wordpad.  I have a colleague that will
>only open Word documents in a VMWare virtual machine that
>does no have persistent state.

Doesn't that assume that the VMware virtual machine is *confined* from the
rest of the system?
When your collegue turns off the virtual machine all the state is
destroyed. Isn't that equivalent to rescinding domain+spacebank in EROS ?
Though there would be some difference if you set up an internal network
between the virtual machine and host system. In that case there would be an
open channel which is not confined.

>
>>For a variety of legal reasons,
>>Microsoft (and other software vendors) isn't going to plant Trojan
>>horses in software on purpose. If one is found, they will correct it
>>reasonably quickly, which tends to limit exposure.
>
>Perhaps not intentionally, but they are mostly driven to add features
>like the Macro features above.  When these feature needs conflict
>with security, generally the feature needs win.
>
>All this I see as part of an argument that suggests that every
>program must be treated with the Principle Of Least Access.
>If you find you must trust a problem with a lot of access (e.g.
>a user shell or GUI or parts of the underlying system) then it
>behooves you to put a lot of attention into analyzing that code.
>Such attention has a high cost and I believe will never be possible
>with something like Microsoft Word.

again, POLA = Principle Of Least Authority