[cap-talk] What are caps good for? - minor confinement issue

Valerio Bellizzomi devbox at selnet.org
Sat May 8 18:51:06 EDT 2004 


On 07/05/2004, at 19.39, Jed Donnelley wrote:

>At 07:14 PM 5/7/2004, Valerio Bellizzomi wrote:
>
>
>>On 07/05/2004, at 16.59, Jed Donnelley wrote:
>>...
>> >At the risk of beating a dead horse - generally what I find the
>effective
>> >trust to be for POLA is to grant my agent the access to the limited
>> >resources that I believe are needed for its work AND the right to
>further
>> >share those resources for the purposes of subdividing the work it
>> >needs to do (e.g. for further POLA restrictions of other agents).
>> >I don't believe it is wise for me to try to decide what sort of help
>> >my agent might need to perform its task.  It is for me to decide what
>> >minimal set of rights my agent requires to do what I ask (POLA).
>>
>>But you said it, *generally* , but this is not always the case.
>
>Sorry.  Sloppy English.  Just remove the "generally"

ok

>
>>You tend to talk about agents, which is a network-centric view of the
>>computer (the network is the computer  that is), but every coin has two
>>sides.
>>You can view the network as the computer, but you can't abstract from the
>>fact that the network is an aggregation of single nodes (or clusters).
The
>>nodes should be protected in first place, and in particular the OS of
each
>>node must be protected before the agents or applications, which brings us
>>back to the start of the whole discussion.

I mean we are back to the original thread.

>
>I agree with the above statement until the last clause "which brings us
>back to the start of the whole discussion".  Perhaps I've lost where the
>discussion started (I know where I came in ;-), but I don't see how
>anything
>in the above lessens the value of POLA - whether with regard to
>communicating
>process, processors, or even people (though the mechanisms for meeting
>POLA of course differ depending on the subjects and the objects).

As Shap said, confinement is a mechanism, and I add "which can be used to
meet the principle of POLA)."
In the above it doesn't lessens the value of POLA, the mechanism for
capibility rescind is exactly what you search, we can allow access and
later revoke it.


>
>> >>When your collegue turns off the virtual machine all the state is
>> >>destroyed. Isn't that equivalent to rescinding domain+spacebank in
>EROS ?
>> >>Though there would be some difference if you set up an internal
network
>> >>between the virtual machine and host system. In that case there would
>be
>> >an
>> >>open channel which is not confined.
>> >
>> >You are focusing on the confinement aspects of the issue which I
>> >believe are insignificant.  The relevant issue I believe is restricting
>> >the access of the agent to the resources it needs, regardless of any
>> >communication it may feel it needs to accomplish its task (whether
>> >it's well behaved or malicious).
>>
>>No no, if it is malicious it should not be allowed to communicate, but we
>>have no means to know that a priori, so establishing a well-defined
>>protection boundary is fundamental.
>
>As noted elsewhere, if it is benign it may well need to communicate
>also.  Stopping such communication will stop the intended function
>of the agent.  If you made the request of the agent then presumably
>you wanted it to carry out your actions.
>
>I'm reminder much of the pop-ups from a local firewall like Zone
>Alarm.  Whenever I hear "so-and-so" wants to communicate to
>the Internet, do you want to allow it?  I face a dilemma.  Yes, or
>no?  If it is something  know about then typically my answer will
>be yes.  When the question is "so-and-so" wants to act as a server
>for the Internet (listen) then typically my answer is no.
>
>As I hope I was clear on before, I can see value to such essentially
>all or nothing communication restrictions.  Even wall banging can't
>effectively
>get past a network interface.
>
>However, I wish we could give up on asking our capability (or other access
>rights restriction mechanisms to base POLA on).  When it gets to the level
>of a processor on the network, such rights restriction mechanisms can't do
>the job.  I argue that what's good at the processor level must be good at
>the
>process (virtual processor) level.
>
>>If it is achieved via confinement or
>>other means *might be* insignificant, but I am not sure.
>>We *might* want some means to decide *at which granularity* it should be
>>confined. By granularity I mean we might want to allow multithreaded
>>processes to have a unique protection boundary enclosing all threads, or
>we
>>might want each thread to have its own protection boundary. However in
>EROS
>>(as I understand it) every domain is always single threaded.
>>I would like to hear what Shap think.
>
>Gulp.  I would be delighted if such nuances were our largest problems.
>I hope we can work on such problems when we have dealt with the
>highest level issue of not having all processes run as "user"s.
>
>
>> >> >...Principle Of Least Access.
>> >> >...
>> >>again, POLA = Principle Of Least Authority
>> >
>> >I'm fine with that terminology, however I don't believe the distinction
>> >is significant.  Would you like to initiate a side discussion on that
>> >topic?
>>
>>That was the purpose of the thread I started with subject "Capability
>>Dictionary".
>
>Can you give me a pointer?

http://www.eros-os.org/pipermail/cap-talk/2004-May/001684.html

More information about the cap-talk mailing list