[cap-talk] What are caps good for? - minor confinement issue

Jed Donnelley jed at nersc.gov
Fri May 7 22:39:05 EDT 2004


At 07:14 PM 5/7/2004, Valerio Bellizzomi wrote:


>On 07/05/2004, at 16.59, Jed Donnelley wrote:
>...
> >At the risk of beating a dead horse - generally what I find the effective
> >trust to be for POLA is to grant my agent the access to the limited
> >resources that I believe are needed for its work AND the right to further
> >share those resources for the purposes of subdividing the work it
> >needs to do (e.g. for further POLA restrictions of other agents).
> >I don't believe it is wise for me to try to decide what sort of help
> >my agent might need to perform its task.  It is for me to decide what
> >minimal set of rights my agent requires to do what I ask (POLA).
>
>But you said it, *generally* , but this is not always the case.

Sorry.  Sloppy English.  Just remove the "generally"

>You tend to talk about agents, which is a network-centric view of the
>computer (the network is the computer  that is), but every coin has two
>sides.
>You can view the network as the computer, but you can't abstract from the
>fact that the network is an aggregation of single nodes (or clusters). The
>nodes should be protected in first place, and in particular the OS of each
>node must be protected before the agents or applications, which brings us
>back to the start of the whole discussion.

I agree with the above statement until the last clause "which brings us
back to the start of the whole discussion".  Perhaps I've lost where the
discussion started (I know where I came in ;-), but I don't see how anything
in the above lessens the value of POLA - whether with regard to communicating
process, processors, or even people (though the mechanisms for meeting
POLA of course differ depending on the subjects and the objects).

> >>When your collegue turns off the virtual machine all the state is
> >>destroyed. Isn't that equivalent to rescinding domain+spacebank in EROS ?
> >>Though there would be some difference if you set up an internal network
> >>between the virtual machine and host system. In that case there would be
> >an
> >>open channel which is not confined.
> >
> >You are focusing on the confinement aspects of the issue which I
> >believe are insignificant.  The relevant issue I believe is restricting
> >the access of the agent to the resources it needs, regardless of any
> >communication it may feel it needs to accomplish its task (whether
> >it's well behaved or malicious).
>
>No no, if it is malicious it should not be allowed to communicate, but we
>have no means to know that a priori, so establishing a well-defined
>protection boundary is fundamental.

As noted elsewhere, if it is benign it may well need to communicate
also.  Stopping such communication will stop the intended function
of the agent.  If you made the request of the agent then presumably
you wanted it to carry out your actions.

I'm reminder much of the pop-ups from a local firewall like Zone
Alarm.  Whenever I hear "so-and-so" wants to communicate to
the Internet, do you want to allow it?  I face a dilemma.  Yes, or
no?  If it is something  know about then typically my answer will
be yes.  When the question is "so-and-so" wants to act as a server
for the Internet (listen) then typically my answer is no.

As I hope I was clear on before, I can see value to such essentially
all or nothing communication restrictions.  Even wall banging can't effectively
get past a network interface.

However, I wish we could give up on asking our capability (or other access
rights restriction mechanisms to base POLA on).  When it gets to the level
of a processor on the network, such rights restriction mechanisms can't do
the job.  I argue that what's good at the processor level must be good at the
process (virtual processor) level.

>If it is achieved via confinement or
>other means *might be* insignificant, but I am not sure.
>We *might* want some means to decide *at which granularity* it should be
>confined. By granularity I mean we might want to allow multithreaded
>processes to have a unique protection boundary enclosing all threads, or we
>might want each thread to have its own protection boundary. However in EROS
>(as I understand it) every domain is always single threaded.
>I would like to hear what Shap think.

Gulp.  I would be delighted if such nuances were our largest problems.
I hope we can work on such problems when we have dealt with the
highest level issue of not having all processes run as "user"s.


> >> >...Principle Of Least Access.
> >> >...
> >>again, POLA = Principle Of Least Authority
> >
> >I'm fine with that terminology, however I don't believe the distinction
> >is significant.  Would you like to initiate a side discussion on that
> >topic?
>
>That was the purpose of the thread I started with subject "Capability
>Dictionary".

Can you give me a pointer?

--Jed http://www.nersc.gov/~jed/ 



More information about the cap-talk mailing list