[cap-talk] membrane challenge - an Attack!
Jed at Webstart
donnelley1 at webstart.com
Wed Nov 17 20:23:43 EST 2004
At 10:19 AM 11/17/2004, Keith Rarick wrote:
>On Wed, 2004-11-17 at 08:31 -0500, Mark Miller wrote:
> > My apologies to all. I responded to Zooko after only skimming the previous
> > messages. The issue is simpler: MarcS' fantasy membrane is broken, exactly
> > because it enables Jed's attack, for exactly the reason I just obtusely
> > explained. Trying again....
> > ...
>I thought the original purpose of this challenge was to explore possible
>flaws in the model of a language capability system, such as E, in which
>the mutually suspicious "processes" actually share a single address
>space in the underlying system, as opposed to a capability OS that runs
>on bare metal.
Your right that was the purpose of the contest. I'm sorry for the confusion
regarding this "Attack!". I saw a target of opportunity (MarkS's membrane
implementations that happen to be written in E - hoping to get
some leverage on the capabilities as partitioned descriptors vs.
capabilities as data/network issues) and took it.
>I don't see in what way this attack is specific to E or any language
It isn't. Your right. I think I said something to that effect in the
writing of it, but it was pretty obscure. This is now the second
message trying to clarify that point.
>I think precisely the same arguments of this thread
>could be applied to an attack on any capability system able to host a
>membrane service and SN service as described here.
Yes. This attack (example) focuses on the disputing the notion that if you
have a partitioned capability as descriptor system you can focus
any filtering efforts like membranes on those partitioned capabilities
and be safe. The basic idea is to demonstrate that a capabilities
as data system can be built within a partitioned capabilities as
descriptor based system and that such data capabilities can
bypass any efforts at filtering capability communication.
>Am I making the wrong distinction between styles of capability systems?
>What am I missing?
I think you've got it right. I think perhaps the juxtaposition of the
of the language enforcement issue, the contest, and then this Attack!
example (all with me involved) naturally suggested that the Attack!
was a submission for the contest. As I pointed out in the initial Attack!
message, it is not. It's touching on an orthogonal issue, but one that
has been discussed on this list many times and came up again when
I started looking at MarcS's membrane software (incidentally written
More information about the cap-talk