[cap-talk] What are caps good for? - The line is drawn on
jed at nersc.gov
Fri May 7 16:49:26 EDT 2004
At 01:02 PM 5/7/2004, David Hopwood wrote:
>Jed Donnelley wrote:
>>There's a fundamental nut to the Trojan horse problem that is unsolvable.
>>If you have to trust an agent with something, the agent can abuse that
>>trust. I believe the major security/integrity problem in computing
>>(throughout the "ages") is the inability to limit such agents to POLA.
>>I believe an appropriate application of the capability concept/model
>>would solve this problem is so far as it can be solved, making a huge (!)
>>improvement in the security/integrity of computing.
>Imagining that there is a single boundary, between the user's shell and
>applications, where POLA needs to be applied is a misconception. It is
>commonplace for applications to need to enforce their own security
I agree. I'm not sure what I wrote that lead you to think I was suggesting
otherwise. In my opinion/experience the cranking down on POLA and
the subdividing of agents into finer and finer domains is mostly a matter
of deciding how much work and overhead are justified to achieve a
desired level of security/integrity. However, if it isn't possible to enforce
POLA on a per process (domain, module, whatever you want to call
the environment of a "subject" that executes) basis, then the question
>Mechanisms like confinement are intended to support this.
About that I continue to disagree. As I have said oft and again in this
discussion, I believe efforts at confinement are ineffective (proxying)
and counter productive (don't allow agents to further subdivide,
produce awkward implementations that in any case can't fully
>There is an interesting argument to be had about *how well* confinement
>supports building security boundaries at the user level, but it is clear
>that it is necessary to be able to build such boundaries.
Again I disagree. What does confinement add over POLA? Remember,
"confinement" is not necessary to limit the sharing of permanent future
rights as can be handled with a capability "fork"ing mechanism.
>>I believe the discussion of "confinement" is nearly meaningless
>>except as a distraction that's counter productive. I believe providing
>>mechanisms and interfaces to support Principle Of Least Access
>>is where we should be focused. In principle such POLA restrictions can
>>be done with access lists. However, I believe access lists are very
>>awkward for this purpose. They seem to appeal to people largely because
>>of their ability to display who has access to a resource. However, in this
>>context people are thinking about which people have access to a resource.
>>There is also the thought that access rights in an access list can be
>>revoked at the list associated with the object. This putative value is
>>useless if the subjects are processes. I'm going to look at the access
>>list for my file and decide to revoke the right of process 5237 to the file?
>Agreed except for the first sentence. I don't believe that the first
>sentence follows from any of the rest of this argument. On the contrary,
>confinement is one of the "mechanisms and interfaces to support Principle
>Of Least [Authority]".
There again I believe that where we differ is clear. In my view what is needed
at the minimum is the ability to share only those rights that need to be shared
across any domain boundary - POLA. Once a right has been shared, I believe
the further sharing that right wherever it can be communicated is what I refer
to as an "inalienable" right - in that trying to restrict such further sharing
is ineffective and counter productive.
>>I believe there are other more suitable mechanisms, using the capability
>>model, that can be used for rights revocation.
>The main usefulness of confinement is not revocation; it's delineating
>security boundaries across which authority should not be granted in the
Once the right was communicated in the first place - given all POLA
considerations - the process (domain, subject) receiving the right had
the right to abuse it. The value of POLA is to restrict the agent to just
the rights it needs, not to try to somehow (ineffectively and counter
productively) restrict how it can use the rights it is given (e.g. by sharing
that right with another agent to act on its behalf).
It seems to me that the lines are drawn fairly clearly on this issue.
I'd be interested to hear what others think.
More information about the cap-talk