[cap-talk] membrane challenge - an Attack! SNFoo == Foo

Karp, Alan H alan.karp at hp.com
Thu Nov 18 18:23:01 EST 2004


Jed Donnelley wrote:
> 
> I wonder if I can clarify my position by considering another
> simple case and comparing it to the attack.  Suppose the
> resource that Alice passed to Bob through the membrane
> was a file.  In the file is the following text:
> 
> ssh:dns=myhost.mydns.com:user=jed:password=dontbelieveit
> 
> Now Bob reads that data through the membrane.  Works fine,
> right?  Then Bob connects to myhost and logins in as me,
> exercising the right that he extracted through the membrane.
> 
 
I think I know what you're trying to say, but I don't find this example
convincing.  Presumably, Jed does not want Bob to be able to login as
Jed.  Hence, Jed has made a mistake by giving Bob that capability.  He
might just as well have sent Bob his private key.  We must try to
minimize the likelihood of human error in a real system, but I believe
it is beyond the scope of this discussion.  Second, Jed may not have
given Bob sufficient information to harm him.  For example,
myhost.mydns.com might be behind Jed's firewall, so Bob can't connect to
myhost.  In other words, the string may not convey the authority to make
the connection.
 
The purpose of the membrane is to enforce Alice's intent to be able to
revoke authorities passed through it.  The membrane does no good if
Alice chooses to bypass the membrane, either by sending capabilities
directly or by sending data that can be used to exercise rights.  In the
original attack, Alice is allowing the membrane to be breached by using
an SN server that has references to the SN server pass both through the
membrane and around it.
 
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp


-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041118/fb7e15d9/KarpAlanH.vcf


More information about the cap-talk mailing list