[cap-talk] membrane challenge - an Attack! SNFoo == Foo
Jed at Webstart
donnelley1 at webstart.com
Fri Nov 19 17:48:28 EST 2004
At 09:59 AM 11/19/2004, Karp, Alan H wrote:
>Jed Donnelley wrote:
> > As with the ssh 'capability' above (which is an example of a right
> > with global accessibility) my thinking on the SN server was that
> > it was a globally available service. E.g. imagine it somewhat like
> > the Andrew file system or the like where the communication to
> > the service can happen anywhere. What's important (as with the
> > ssh example) is that which guarantees the right - in that case the
> > Swiss Number.
>I believe that Alice's mistake is creating a membraned capability to the
>SN server. There's no reason she must do that. She can store FMCfoo in
>the SN server by using SNC to send Foo through the membrane. In a
>picture, Alice keeps the SN server on Bob's side of the membrane.
Remember, Alice might not even know that she's creating a membraned
capability to the SN server. The job of the membrane mechanism is to
membrane any capabilities (for future revocation) that it finds attempting
to pass across the membrane boundary. So, for example, in the case
Alice gave Bob a membraned capability to the D directory that contained
Foo and SN, it was the automated membrane mechanism that properly
membraned Foo when Bob fetched it and I argue just as properly membraned
SN when Bob fetched it.
I maintain the base problem is the inability of the membrane to recognize
SNFoo for the capability that it is.
More information about the cap-talk