[cap-talk] membrane challenge - an Attack!

Mark Miller markm at cs.jhu.edu
Wed Nov 17 22:54:22 EST 2004

Responding just to the last part, because Jed says a bunch of stuff here that 
I agree with, but that I think he may be assuming I disagree with.

Jed Donnelley wrote:
> Take a look at what comes across the wire.  It can't be
> "partitioned" except in the sense of a protocol.  In some
> real sense whatever comes down the wire amounts
> to capabilities as data.


> Oh sure, you can argue that operating systems should
> pick that data up right at the door and immediately turn
> it into partitioned capabilities (as did the DCCS:
> http://www.webstart.com/jed/papers/DCCS/ )
> but consider me or any hacker on their home
> computer system.  They can look at the data
> coming in and play the protocol game any way
> they like.  They have effectively gotten down to
> the Swiss Number (or the like) representation of
> the capabilities.  They don't have to play the partitioned
> capability game.  Whatever that protocol is, that's the
> *real* capability mechanism that people are depending
> on.


You can't (or shouldn't) confine people. You can't confine machines on open 
networks. At the granularity of mutually suspicious machines on open networks 
talking to each other by any cryptographic protocol, cap or otherwise, you 
cannot distinguish rights from knowledge-of-secrets. You cannot make anything 
unforgeable, only unguessable. In the terminology of 
<http://www.erights.org/elib/capability/dist-confine.html>, you can't separate 
"having" from "knowing".

Therefore, you can't use membranes to separate mutually suspicious machines 
because, as I said early on, membranes don't work in a cap-as-data system. 
Mutually suspicious machines on open networks are such a non-membrane-able system.

But we disagree on whether this argues for or against partitioned cap systems 
within the nodes of such a network. I am not suspicious only of people or 
foreign machines. I am also suspicious of code I locally execute, and a local 
partitioned system can give me stronger properties than a cap-as-data system 
can. Your own distinction between "mutual suspicion" and "protected execution" 
seemed to acknowledge this. Partition is both possible and needed exactly in 
those contexts where protected execution is possible.

E is built to create local islands of partitioned cap systems in a sea of 
cap-as-data protocols. DCCS was on the right track ;).

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list