[cap-talk] membrane challenge - an Attack!

Hal Finney hal at finney.org
Wed Nov 17 13:26:25 EST 2004


It helps to draw a diagram to see what is happening.  Let ... dotted
lines represent a membrane.  You will need a monospaced font to see
what is being represented.

We could put Bob inside a membrane:


         .............
         .           .
         .    Bob    .			Resources
         .           .
         .............


But I don't think that is what we are talking about here.  I think we
want to take some resources and wrap a membrane around them:


                                     ...............
                                     .             .
             Bob                     .  Resources  .
                                     .             .
                                     ...............


Now we could add a Serial Number (SN) server outside the membrane:


                                     ...............
                      SN             .             .
                                     .  Resources  .
             Bob                     .             .
                                     ...............

I don't think that breaks anything.  Or we could put an SN server
inside the membrane:

                                     ...............
                                     .             .
                                     .     SN      .
             Bob                     .             .
                                     .             .
                                     .  Resources  .
                                     .             .
                                     ...............

That doesn't break anything either.

In Jed's description, he talked about FMCSN, which was a capability
Bob held to SN which WAS mediated by the membrane.  That is no problem.
But as others have pointed out, he also assumed that Bob "independently"
had a direct capability to SN.  How did he get that?  If SN is inside
the membrane, it should not be possible for the capability to escape in
any form other than FMCSN.

If we assume that capabilities can escape the membrane, then of course the
membrane's security properties will not hold.  You don't even need SN,
you could just postulate that a capability to the Resources has escaped
the membrane and let Bob get hold of it, in order to apparently show
a violation.

Hal


More information about the cap-talk mailing list