[cap-talk] membrane challenge - an Attack!
markm at cs.jhu.edu
Wed Nov 17 22:54:22 EST 2004
Responding just to the last part, because Jed says a bunch of stuff here that
I agree with, but that I think he may be assuming I disagree with.
Jed Donnelley wrote:
> Take a look at what comes across the wire. It can't be
> "partitioned" except in the sense of a protocol. In some
> real sense whatever comes down the wire amounts
> to capabilities as data.
> Oh sure, you can argue that operating systems should
> pick that data up right at the door and immediately turn
> it into partitioned capabilities (as did the DCCS:
> http://www.webstart.com/jed/papers/DCCS/ )
> but consider me or any hacker on their home
> computer system. They can look at the data
> coming in and play the protocol game any way
> they like. They have effectively gotten down to
> the Swiss Number (or the like) representation of
> the capabilities. They don't have to play the partitioned
> capability game. Whatever that protocol is, that's the
> *real* capability mechanism that people are depending
You can't (or shouldn't) confine people. You can't confine machines on open
networks. At the granularity of mutually suspicious machines on open networks
talking to each other by any cryptographic protocol, cap or otherwise, you
cannot distinguish rights from knowledge-of-secrets. You cannot make anything
unforgeable, only unguessable. In the terminology of
<http://www.erights.org/elib/capability/dist-confine.html>, you can't separate
"having" from "knowing".
Therefore, you can't use membranes to separate mutually suspicious machines
because, as I said early on, membranes don't work in a cap-as-data system.
Mutually suspicious machines on open networks are such a non-membrane-able system.
But we disagree on whether this argues for or against partitioned cap systems
within the nodes of such a network. I am not suspicious only of people or
foreign machines. I am also suspicious of code I locally execute, and a local
partitioned system can give me stronger properties than a cap-as-data system
can. Your own distinction between "mutual suspicion" and "protected execution"
seemed to acknowledge this. Partition is both possible and needed exactly in
those contexts where protected execution is possible.
E is built to create local islands of partitioned cap systems in a sea of
cap-as-data protocols. DCCS was on the right track ;).
Text by me above is hereby placed in the public domain
More information about the cap-talk