[cap-talk] membrane challenge - an Attack!
David Chizmadia (JHU)
chiz at cs.jhu.edu
Thu Nov 18 03:51:35 EST 2004
This discussion of membranes has felt "odd" for several
messages: I think I can finally articulate why, now.
I think that the problem is that I disagree with the
perspective on who is using the membrane. I've been
modeling the membrane as a mechanism by which a server
is able to distribute revocable capabilities (of pretty
much either type) to potential users of its service.
That is, the server sets up the membrane between itself
and a user community so that if that community abuses
the capability, the server need only destroy the membrane
to server contact with that user community. Under this
model, it is in the server's interest to ensure that
authorities to the service are fully confined via the
Somewhere along the line, the sense of the membrane
pattern has been inverted into being a way to confine a
user of services. Given the assumption of a decentralized
protection system, this seems like a completely wrong use
of the membrane pattern (as I understand it). Involuntary
use of the membrane will lead to attempts to bypass the
membrane, which Jed has shown to be feasible.
I look forward to being educated about the flaws in
my reasoning ;-)
----- Original Message -----
From: "David Wagner" <daw at cs.berkeley.edu>
To: <cap-talk at mail.eros-os.org>
Sent: Wednesday, November 17, 2004 8:40 PM
Subject: [cap-talk] membrane challenge - an Attack!
> Jed writes:
> >It also seems to suggest
> >something about the way people are thinking about communicating
> >revocable rights. That is the thinking seems to be not in terms
> >communication to mutually suspicious processes but instead to
> >processes that are otherwise constrained - e.g. they can't have
> >other rights (such as SN) and perhaps even must be effectively
> >confined. That is very far from what I understood the membrane
> >concept to mean, so I'd like to reach consensus on that topic.
> Sure. This was always my thinking. (No guarantees that my
> thinking has been in any way sane, of course.)
> To be more precise, if you want to place Jim in a membrane, I
> you have to do at least three things:
> 1) You have to confine Jim.
> 2) You have to make sure Jim doesn't have access to any
> that aren't mediated by the membrane (or somehow cooperating with
> membrane to enforce the membrane's security goals).
> 3) You have to make sure that Jim doesn't have access to any
> channels that can convey capabilities and that aren't mediated by
> membrane (or cooperating with the membrane).
> Usually, condition 3 is a special case of condition 2, though if
> is implemented on top of a password capability system it may not
> I don't see why this is so terrible. And, even if it were
> I don't see why that fact would be relevant; it just seems like an
> inevitable consequence of the nature of membranes, one that we
> accept no matter how terrible or wonderful it may feel.
> Then again, I have to admit I'm a little skeptical about the
> relevance of membranes -- they are very pretty in theory, but I'm
> how often one can actually use them in a real system, or how often
> would want to.
> Caveat (again): I'm very fuzzy on the concept of membranes,
> so hey, maybe my thinking has always been way off.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk