[cap-talk] the prize

[Charles Landau]

At 11:38 AM +0100 10/22/04, Ian Grigg wrote:
>In practical systems, the only benefit of a "no possibility"
>result is that you have some easier risk calculations,
>as the risk in that part is zero.  But, you always
>end up having to measure the risk of the entire
>system, so you only gain some reduced complexity
>(and an easy multiply by zero).
>
>That reduced complexity is no bad thing, but the
>notion that this should be a design goal is more
>than likely to lead the designer down dangerous
>trails

I agree that a secure mathematical model is only one tool, and that 
all parts of the system need to be viewed in balance with the whole 
picture. The whole picture includes security risk, functionality, 
ease of use, performance, etc.

This thread started with Jed wanting to focus on one area ("secure 
resource sharing within computers and across the network"). I suggest 
we explore that area and then see whether we have gotten onto a 
dangerous trail. So far I haven't seen any signs of danger.

>>The person who programmed the object that we are calling Alice may 
>>have erred in expressing their intent, but I am putting that 
>>outside the scope of discussion for now.
>
>And that's why this is impractical.  It's not a
>robust security design if you can only make it
>secure by assuming away the real risks.

The risk that the programmer will write buggy code exists in every 
system. The differentiator between designs is whether the system 
makes it easier or harder for the programmer to express his/her 
intent and avoid serious bugs. In my opinion, the capability model 
has benefits here too.