[cap-talk] membrane challenge - an Attack! - discussion

Bill Frantz frantz at pwpconsult.com
Wed Nov 17 14:27:49 EST 2004 

There are a number of reasons we should proceed with caution when making
statements about membranes:

* As far as I know, there are no real, time-tested examples of the
membrane pattern.  In addition, there is no theoretical base for them.
As such, we don't really know what they can and can't do.

* As far as I know, this group is the first to try to reason about
authority, as compared with permission.  Again, I don't think we have
either strong intuitions or theory to guide us.


The KeyKOS MLS design used a form of membrane to separate the
compartments.  This membrane was the interface between a single-level
compartment, and the larger system directory.  It examined the
capabilities passing over the interface and only permitted them to pass
if: (1) The MLS labels on the objects permitted the transfer, and (2)
the objects were manifestly sensory[1].I don't think any of the
discussion of membrane function effects a membrane with these
specifications.

The membranes we are discussing are much more complex membranes, and we
aren't being clear about their specifications.  For example, MarkM
contends that allowing a time-limiting membrane to manipulate
capabilities which aren't time-limited is broken.  If this is a design
principle, then we also must examine any time-limited object which
allows a change in authority.  A Unix style directory that permitted
"mv" to change authority would be an example.

On the other hand, Jed thinks that the effects of manipulations through
time-limited membranes should persist after those membranes are
destroyed.  We need to think clearly about just what these membranes are
supposed to do.


Some questions to ask are:

* Is keeping the E language "makeSturdyRef" function inaccessible
through membranes sufficient to keep the CapTP system from leaking
time-unlimited authority around a time-limiting membrane?

* What kind of objects and structures of objects does it make sense to
use with time-limiting membranes?

* What other kinds of policy do we think the membrane pattern should
enforce?


[1] Manifestly sensory is a weaker version of the E concept of "deep
frozen".  A deep frozen object can't be changed.  A sensory object can't
be changed through the sensory path.  For example, a read-only page key
is sensory.  However if there exists a read-write page key in the
system, that key can be used to change the contents of the page.

-------------------------------------------------------------------------
Bill Frantz        | gets() remains as a monument   | Periwinkle 
(408)356-8506      | to C's continuing support of   | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns.               | Los Gatos, CA 95032

More information about the cap-talk mailing list