[cap-talk] membrane challenge - an Attack!
Karp, Alan H
alan.karp at hp.com
Wed Nov 17 12:56:24 EST 2004
First of all, let me make it clear that Jed's attack, even if it is
valid, doesn't qualify for the $100. It attacks a particular piece of
code written in E, but no one has claimed that you can't write insecure
code in E. The prize is for showing a failure of language based control
Second, I don't think Jed's attack is valid. The critical flaw in the
argument is that Bob "independently has a capability to the SN server".
This capability (SNC) is a hole in the membrane. It effectively puts
the SN server inside the membrane for FMCfoo and outside for SNC.
Straddling the membrane in this way defeats the whole purpose of
building a membrane in the first place.
You've got to be careful even if references to the SN server pass
through the membrane. For example, passing SNC to David via a different
membrane can allow Bob to violate revocation. I believe you've got to
have a different SN server for each membrane in order to be able to
permanently revoke an authority.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041117/891587e9/KarpAlanH.vcf
More information about the cap-talk