[cap-talk] membrane challenge - Attack discussion
Jed Donnelley
jed at nersc.gov
Tue Nov 16 23:02:01 EST 2004
At 07:35 PM 11/16/2004, David Wagner wrote:
>Jed writes:
> >I'll be interested to hear what people think of this attack.
>
>It's not a problem in the E language per se. It's a flaw in the services
>that you've implemented on top of E: those services do not enforce the
>security property they were intended to....
Here's my reaction to this dismissal of the attack:
Remember, my attack is against the Fantasy Membrane Server
(FMS) regardless of other services like the Swiss Number
server.
The idea of the FMS (as I understand it) is to be able to
pass capabilities through it temporarily with the assurance
that at a later time the membrane can be pulled and all
the capabilities that flowed out through the membrane
would effectively be revoked. No matter what. That is,
it should not matter what capabilities are passed out
through the membrane, they should all be revoked when
the membrane is pulled.
Have I got that wrong?
The Swiss Number server (SN) is just an example of
a service that might exist on E. Of course one could
argue that it might be a bad idea, might not "compose"
with other services, etc. However, that shouldn't matter
from the perspective of the FMS. If I pass capabilities
through the FSM and then later pull the plug on the
membrane the capabilities should all be revoked.
In my attack Foo flows out and Foo is not revoked.
If others feel like David Wagner does that this is
merely a flaw in the composition of services of
this sort and is not uncommon, perhaps somebody
could give other examples of membrane violation
that would be comparable with some other services.
If I set up a membrane like this and Bob came back
to me and showed me Foo, I'd wonder how he got it.
Perhaps I'm thinking of this naively?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list