[cap-talk] the prize
ben at algroup.co.uk
Tue Nov 2 04:59:37 EST 2004
David Hopwood wrote:
> Ben Laurie wrote:
>> David Hopwood wrote:
>>> Ben Laurie wrote:
>>>> Jonathan S. Shapiro wrote:
>>>>> However, I *do* think that the single node case is a precondition to
>>>>> most useful networked cases.
>>>> Surely not. I can implement networked capabilities on a machine with
>>>> no internal security _at all_.
>>> You *can*, but what would be the point? If all software on a machine is
>>> in a single domain then you're not going to get any protection against
>>> bugs in that software or against attempted confused deputy attacks
>>> coming from the network.
>> I agree that you are not protected against bugs, but I do not agree
>> about confused deputy attacks. Your defence against those is to
>> correctly enforce capability discipline within your software - this
>> can be done in completely monolithic systems in utterly insecure
>> languages, modulo bugs.
> This is quite unrealistic. The simplest way to enforce capability
> displipline in an application of nontrivial complexity is to write the
> application in a capability-secure language subset.
I agree that it is the simplest. That does not make the alternative
> Technically, you are right that it is *possible* (in a strictly literal
> sense) to build a nontrivial system that enforces capability discipline
> in such a way that there is no clear layering between a part of the system
> that essentially acts as a capability-secure language implementation or
> kernel, and an application layer. I would never trust such a system, and
> I have no confidence that there is anyone competent to design one that
> way. (If there were, they probably would not trust it, either.)
I actually think this would be quite easy to do in C++.
>> Hardware/operating system/language security does not assist you in
>> this matter.
The point I was overstating was that if you want to write insecure code
(from a capability point of view) you can easily do it in a
capability-secure language - just pass around all your capabilities to
everything. Similarly, if you want to write secure code in a
non-capability-secure language, you can do it - just be careful with
your pointers (assuming C/C++). Since you are not running untrusted
code, the issues with fishing pointers (== capabilities) out of memory
do not exist, and the problem becomes one of applying the appropriate
discipline when coding, just like in a secure language.
ApacheCon! 13-17 November! http://www.apachecon.com/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cap-talk