[cap-talk] membrane challenge - an Attack!

Jed Donnelley jed at nersc.gov
Wed Nov 17 22:17:45 EST 2004

At 05:40 PM 11/17/2004, David Wagner wrote:
>Jed writes:
> >It also seems to suggest
> >something about the way people are thinking about communicating
> >revocable rights.  That is the thinking seems to be not in terms of
> >communication to mutually suspicious processes but instead to
> >processes that are otherwise constrained - e.g. they can't have
> >other rights (such as SN) and perhaps even must be effectively
> >confined.  That is very far from what I understood the membrane
> >concept to mean, so I'd like to reach consensus on that topic.
>Sure.  This was always my thinking.  (No guarantees that my
>thinking has been in any way sane, of course.)
>To be more precise, if you want to place Jim in a membrane, I believe
>you have to do at least three things:
>  1) You have to confine Jim.
>  2) You have to make sure Jim doesn't have access to any capabilities
>  that aren't mediated by the membrane (or somehow cooperating with the
>  membrane to enforce the membrane's security goals).
>  3) You have to make sure that Jim doesn't have access to any communication
>  channels that can convey capabilities and that aren't mediated by the
>  membrane (or cooperating with the membrane).
>Usually, condition 3 is a special case of condition 2, though if Jim
>is implemented on top of a password capability system it may not be.

I just went into great detail as to why I see a distinction between
what you describe above (more like what Systrace is doing,
encapsulating or confining a process that one is running an
executable in) vs. the more general case of requiring that any
communication of rights through parameters that have been
sent to a mutually suspicious process must be revokable.
That message is here:


If you can go through that admitted tome with understanding
then I'm sure you will understand the distinction between
what I am referring to as a membrane (please, please somebody
correct me if I have the terminology wrong for what I now hope
I have made painfully clear) and the sort of encapsulation
or confinement that you are referring to.

>I don't see why this is so terrible.

There's nothing terrible about it.  It's even useful.  More useful
than membranes in general I would say.  It just isn't what I
understand a membrane to be and isn't what I was attacking
to illustrate my point.

Let me illustrate where I see the value of something like a
membrane.  Suppose your bank says that to transfer funds
you need to send it a capability to a directory that contains
thus and such (I'm stretching the example I accept).  The
bank claims that it will only use the directory temporarily
to fetch what it needs, perhaps reading out identifying
information, and then it will throw away the capabilities that
you sent to it - after of course effecting the funds transfer.

You happen to have a directory organized just the way the
bank needs it, *but* you don't want to trust the bank to
actually throw away the directory capability (and any
capabilities that might be in it) after the operation is

This is the sort of situation where I believe a "membrane"
can be useful.  You want to be able to send the directory
to the bank and get your funds transfer done, *but* you
don't want to allow the bank any long term access to
that directory or to anything in it.

Of course (!) in this case you can't wrap a balloon
around the bank.  That bank communicates with
thousands of other customers.  It has access to
data that, thankfully, you and I don't have access to.

Still, you want to be able to cut off its rights to the
objects you had to send it capabilities to.

How do you do it?  Answer: a membrane.

>And, even if it were terrible,
>I don't see why that fact would be relevant; it just seems like an
>inevitable consequence of the nature of membranes, one that we have to
>accept no matter how terrible or wonderful it may feel.
>Then again, I have to admit I'm a little skeptical about the practical
>relevance of membranes -- they are very pretty in theory, but I'm not sure
>how often one can actually use them in a real system, or how often one
>would want to.
>Caveat (again): I'm very fuzzy on the concept of membranes,
>so hey, maybe my thinking has always been way off.

I think so in this case - though I'm willing to hear otherwise.

More information about the cap-talk mailing list