[cap-talk] membrane challenge - an Attack!

[Jed Donnelley]

At 09:56 AM 11/17/2004, Karp, Alan H wrote:
>First of all, let me make it clear that Jed's attack, even if it is
>valid, doesn't qualify for the $100.

You had made that clear previously and I restated it in the original
"Attack!" message where I said, "I'm of course not doing
so to "win" anything, but to illustrate a point..."

>It attacks a particular piece of code written in E,

I think the attack is doing a bit more than attacking a particular
piece of code written in E.  As you may have noted there is no
reference to the E code in the attack  I believe the attack is
probing somewhat deeper, perhaps as much into the notion of
a membrane, but I hope also at the basic notion of capabilities.

>but no one has claimed that you can't write insecure
>code in E.  The prize is for showing a failure of language based control
>of rights.

Right.  This attack has nothing to do with the issue of language
based enforcement of rights.  It just occurred to me when I saw
MarcS's "membrane" implementations for his class.

>Second, I don't think Jed's attack is valid.  The critical flaw in the
>argument is that Bob "independently has a capability to the SN server".
>This capability (SNC) is a hole in the membrane.  It effectively puts
>the SN server inside the membrane for FMCfoo and outside for SNC.
>Straddling the membrane in this way defeats the whole purpose of
>building a membrane in the first place.

I don't agree.  The above is somewhat like the argument that David
Wagner raised.  Please see my responses to his message.  If
membranes are only effective when a destination for a revokable
membrane capability is confined by the source of membraned
capability then I would say that membranes have very limited
uses indeed.

>You've got to be careful even if references to the SN server pass
>through the membrane.  For example, passing SNC to David via a different
>membrane can allow Bob to violate revocation.  I believe you've got to
>have a different SN server for each membrane in order to be able to
>permanently revoke an authority.

I'm glad at least that we're having this discussion.  If somehow the
nature of the revocable rights that are passed to Bob or other rights
that Bob has can invalidate the revocability of capabilities passed through
a membrane then at least it seems to place what seem to me
severe limits on what on can expect of a membrane and perhaps
even revocable capabilities in general.  It also seems to suggest
something about the way people are thinking about communicating
revocable rights.  That is the thinking seems to be not in terms of
communication to mutually suspicious processes but instead to
processes that are otherwise constrained - e.g. they can't have
other rights (such as SN) and perhaps even must be effectively
confined.  That is very far from what I understood the membrane
concept to mean, so I'd like to reach consensus on that topic.

--Jed http://www.webstart.com/jed/