[cap-talk] the prize

Ben Laurie ben at algroup.co.uk
Tue Nov 2 04:59:37 EST 2004 

David Hopwood wrote:
> Ben Laurie wrote:
> 
>> David Hopwood wrote:
>>
>>> Ben Laurie wrote:
>>>
>>>> Jonathan S. Shapiro wrote:
>>>>
>>>>> However, I *do* think that the single node case is a precondition to
>>>>> most useful networked cases.
>>>>
>>>>
>>>> Surely not. I can implement networked capabilities on a machine with 
>>>> no internal security _at all_.
>>>
>>>
>>> You *can*, but what would be the point? If all software on a machine is
>>> in a single domain then you're not going to get any protection against
>>> bugs in that software or against attempted confused deputy attacks
>>> coming from the network.
>>
>>
>> I agree that you are not protected against bugs, but I do not agree 
>> about confused deputy attacks.  Your defence against those is to
>> correctly enforce capability discipline within your software - this 
>> can be done in completely monolithic systems in utterly insecure 
>> languages, modulo bugs.
> 
> 
> This is quite unrealistic. The simplest way to enforce capability
> displipline in an application of nontrivial complexity is to write the
> application in a capability-secure language subset.

I agree that it is the simplest. That does not make the alternative 
unrealistic.

> Technically, you are right that it is *possible* (in a strictly literal
> sense) to build a nontrivial system that enforces capability discipline
> in such a way that there is no clear layering between a part of the system
> that essentially acts as a capability-secure language implementation or
> kernel, and an application layer. I would never trust such a system, and
> I have no confidence that there is anyone competent to design one that
> way. (If there were, they probably would not trust it, either.)

I actually think this would be quite easy to do in C++.

>> Hardware/operating system/language security does not assist you in 
>> this matter.
> 
> Nonsense.

The point I was overstating was that if you want to write insecure code 
(from a capability point of view) you can easily do it in a 
capability-secure language - just pass around all your capabilities to 
everything. Similarly, if you want to write secure code in a 
non-capability-secure language, you can do it - just be careful with 
your pointers (assuming C/C++). Since you are not running untrusted 
code, the issues with fishing pointers (== capabilities) out of memory 
do not exist, and the problem becomes one of applying the appropriate 
discipline when coding, just like in a secure language.

Cheers,

Ben.

-- 
ApacheCon! 13-17 November! http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the cap-talk mailing list