[cap-talk] the prize

[David Hopwood]

Ben Laurie wrote:
> David Hopwood wrote:
>> Ben Laurie wrote:
>>> Jonathan S. Shapiro wrote:
>>>
>>>> However, I *do* think that the single node case is a precondition to
>>>> most useful networked cases.
>>>
>>> Surely not. I can implement networked capabilities on a machine with 
>>> no internal security _at all_.
>>
>> You *can*, but what would be the point? If all software on a machine is
>> in a single domain then you're not going to get any protection against
>> bugs in that software or against attempted confused deputy attacks
>> coming from the network.
> 
> I agree that you are not protected against bugs, but I do not agree 
> about confused deputy attacks.  Your defence against those is to
> correctly enforce capability discipline within your software - this can 
> be done in completely monolithic systems in utterly insecure languages, 
> modulo bugs.

This is quite unrealistic. The simplest way to enforce capability
displipline in an application of nontrivial complexity is to write the
application in a capability-secure language subset.

Technically, you are right that it is *possible* (in a strictly literal
sense) to build a nontrivial system that enforces capability discipline
in such a way that there is no clear layering between a part of the system
that essentially acts as a capability-secure language implementation or
kernel, and an application layer. I would never trust such a system, and
I have no confidence that there is anyone competent to design one that
way. (If there were, they probably would not trust it, either.)

> Hardware/operating system/language security does not assist 
> you in this matter.

Nonsense.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>