[cap-talk] the prize
clandau at macslab.com
Fri Oct 22 12:19:32 EDT 2004
At 11:38 AM +0100 10/22/04, Ian Grigg wrote:
>In practical systems, the only benefit of a "no possibility"
>result is that you have some easier risk calculations,
>as the risk in that part is zero. But, you always
>end up having to measure the risk of the entire
>system, so you only gain some reduced complexity
>(and an easy multiply by zero).
>That reduced complexity is no bad thing, but the
>notion that this should be a design goal is more
>than likely to lead the designer down dangerous
I agree that a secure mathematical model is only one tool, and that
all parts of the system need to be viewed in balance with the whole
picture. The whole picture includes security risk, functionality,
ease of use, performance, etc.
This thread started with Jed wanting to focus on one area ("secure
resource sharing within computers and across the network"). I suggest
we explore that area and then see whether we have gotten onto a
dangerous trail. So far I haven't seen any signs of danger.
>>The person who programmed the object that we are calling Alice may
>>have erred in expressing their intent, but I am putting that
>>outside the scope of discussion for now.
>And that's why this is impractical. It's not a
>robust security design if you can only make it
>secure by assuming away the real risks.
The risk that the programmer will write buggy code exists in every
system. The differentiator between designs is whether the system
makes it easier or harder for the programmer to express his/her
intent and avoid serious bugs. In my opinion, the capability model
has benefits here too.
More information about the cap-talk