[cap-talk] membrane challenge - an Attack! SNFoo == Foo
Karp, Alan H
alan.karp at hp.com
Thu Nov 18 17:20:55 EST 2004
Jed Donnelley wrote:
> Note - Alice doesn't give Foo to SN, Bob gives Foo to
> SN through the membrane. However, that isn't what
> I see as significant. As has been pointed out elsewhere,
> if Alice and Bob shared a directory that Alice passed through
> the membrane to Bob then Bob could insert Foo into
> that directory (again through the fantasy membrane) and
> end up seeing the real Foo when looking through his own
> capability to the directory.
Aah. The light bulb, though dim, is coming on. The problem is that Bob
has both FMCSN and SNC. Bob uses FMCSN to insert FMCfoo, which appears
in the table as Foo. He then uses SN to extract Foo. Is that right?
I would say that in this case, Alice has made a mistake in letting
requests to the SN server pass through the membrane. I see that as a
flaw in Alice's use of the membrane, not the membrane itself. I agree
with your argument that such mistakes are easy to make, but they are
If there was no such capability as FMCSN, all Bob could put in and
retrieve would be FMCfoo. Bob could insert and retrieve FMCfoo as many
times as he likes without increasing the number of entries.
Alternatively, if Alice tightly controlled SNC so that she held the only
copy or didn't even provide such a service, there would be no problem.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041118/a711d86d/KarpAlanH.vcf
More information about the cap-talk