[cap-talk] the prize
david.nospam.hopwood at blueyonder.co.uk
Mon Nov 1 13:08:49 EST 2004
Ben Laurie wrote:
> David Hopwood wrote:
>> Ben Laurie wrote:
>>> Jonathan S. Shapiro wrote:
>>>> However, I *do* think that the single node case is a precondition to
>>>> most useful networked cases.
>>> Surely not. I can implement networked capabilities on a machine with
>>> no internal security _at all_.
>> You *can*, but what would be the point? If all software on a machine is
>> in a single domain then you're not going to get any protection against
>> bugs in that software or against attempted confused deputy attacks
>> coming from the network.
> I agree that you are not protected against bugs, but I do not agree
> about confused deputy attacks. Your defence against those is to
> correctly enforce capability discipline within your software - this can
> be done in completely monolithic systems in utterly insecure languages,
> modulo bugs.
This is quite unrealistic. The simplest way to enforce capability
displipline in an application of nontrivial complexity is to write the
application in a capability-secure language subset.
Technically, you are right that it is *possible* (in a strictly literal
sense) to build a nontrivial system that enforces capability discipline
in such a way that there is no clear layering between a part of the system
that essentially acts as a capability-secure language implementation or
kernel, and an application layer. I would never trust such a system, and
I have no confidence that there is anyone competent to design one that
way. (If there were, they probably would not trust it, either.)
> Hardware/operating system/language security does not assist
> you in this matter.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk