[cap-talk] membrane challenge - an Attack!

David Chizmadia (JHU) chiz at cs.jhu.edu
Thu Nov 18 03:51:35 EST 2004 

Hi all,

    This discussion of membranes has felt "odd" for several
messages: I think I can finally articulate why, now.

    I think that the problem is that I disagree with the
perspective on who is using the membrane. I've been
modeling the membrane as a mechanism by which a server
is able to distribute revocable capabilities (of pretty
much either type) to potential users of its service.
That is, the server sets up the membrane between itself
and a user community so that if that community abuses
the capability, the server need only destroy the membrane
to server contact with that user community. Under this
model, it is in the server's interest to ensure that
authorities to the service are fully confined via the
membrane.

    Somewhere along the line, the sense of the membrane
pattern has been inverted into being a way to confine a
user of services. Given the assumption of a decentralized
protection system, this seems like a completely wrong use
of the membrane pattern (as I understand it). Involuntary
use of the membrane will lead to attempts to bypass the
membrane, which Jed has shown to be feasible.

    I look forward to being educated about the flaws in
my reasoning ;-)

-DMC

----- Original Message ----- 
From: "David Wagner" <daw at cs.berkeley.edu>
To: <cap-talk at mail.eros-os.org>
Sent: Wednesday, November 17, 2004 8:40 PM
Subject: [cap-talk] membrane challenge - an Attack!


> Jed writes:
> >It also seems to suggest
> >something about the way people are thinking about communicating
> >revocable rights.  That is the thinking seems to be not in terms
of
> >communication to mutually suspicious processes but instead to
> >processes that are otherwise constrained - e.g. they can't have
> >other rights (such as SN) and perhaps even must be effectively
> >confined.  That is very far from what I understood the membrane
> >concept to mean, so I'd like to reach consensus on that topic.
>
> Sure.  This was always my thinking.  (No guarantees that my
> thinking has been in any way sane, of course.)
>
> To be more precise, if you want to place Jim in a membrane, I
believe
> you have to do at least three things:
>  1) You have to confine Jim.
>  2) You have to make sure Jim doesn't have access to any
capabilities
>  that aren't mediated by the membrane (or somehow cooperating with
the
>  membrane to enforce the membrane's security goals).
>  3) You have to make sure that Jim doesn't have access to any
communication
>  channels that can convey capabilities and that aren't mediated by
the
>  membrane (or cooperating with the membrane).
> Usually, condition 3 is a special case of condition 2, though if
Jim
> is implemented on top of a password capability system it may not
be.
>
> I don't see why this is so terrible.  And, even if it were
terrible,
> I don't see why that fact would be relevant; it just seems like an
> inevitable consequence of the nature of membranes, one that we
have to
> accept no matter how terrible or wonderful it may feel.
>
> Then again, I have to admit I'm a little skeptical about the
practical
> relevance of membranes -- they are very pretty in theory, but I'm
not sure
> how often one can actually use them in a real system, or how often
one
> would want to.
>
> Caveat (again): I'm very fuzzy on the concept of membranes,
> so hey, maybe my thinking has always been way off.
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
>

More information about the cap-talk mailing list