[cap-talk] automatic policy embodiment and enforcement - hope?

Jed Donnelley jed at nersc.gov
Tue Sep 21 15:47:06 EDT 2004 

At 07:21 PM 9/20/2004, David Wagner wrote:
>Marc Stiegler writes:
> >> Pragmatically, I think the right question is probably "What
> >> is the smallest delta to POSIX that leads to a survivable
> >> architecture?"
> >
> >Since the smallest delta to POSIX is large enough to break every
> >meaningful application in history, [...]
>
>Hmm.  Well, I don't know.  It depends how high a standard of perfection
>you ask for.  Capabilities research is aiming to find The Right Way to
>build secure systems, and that might indeed involve breaking every app.
>But, there are also research projects that aim for Best-Effort Pretty
>Good Security, as good as you can get without breaking legacy apps.
>Projects like SELinux or Systrace are obvious examples of the latter
>approach; they're far from perfect, and wouldn't live up to the standards
>of this crowd, but they're also darn well better than stock Unix, and
>they can be applied to many existing apps.  In any case, it seems to me
>that both styles of research are worth pursuing.

I agree with this.  We use software like the GRSecurity patches:

http://www.grsecurity.net/

to patch Linux because they make some (perhaps relatively minor)
security/integrity improvements at relatively little cost - e.g. in
terms of interfaces.  We find that even with such simple patches
we need to do considerable testing to vet the patch and it's levels
and options to insure it doesn't break relevant applications as it
is wont to do.

However, what's really sad to me is that principle of least access
rights management (which is in some sense the best one can do
in terms of communication across domains) is so easy to build
into a system if it's built in from the beginning.  I personally think it
quite clear that the capability paradigm is the best way that has
been found so far to do such tight rights management, but I admit
that I would be content with any sort of mechanism that would get
the job done.

>To put it another way, I reject the suggestion that only things
>with good short-term prospects for adoption are worth studying.
>If someone could find an application development methodology (such as,
>say, capabilities) that can be shown to lead to much better security
>for the applications designed this way, then I think this would be a
>really exciting development even if there is no short- to medium- term
>transition path for it.

This again is a sad commentary on where we stand.  The capability model
has been around since the late 1960s and has been shown over the years
to quite clearly lead to "better security for the applications designed 
this way".
I don't think there is even really much debate amongst those who have
studied the matter.  I also don't think there is much out there in the way
of competing alternatives.  Some might argue that Access Control List
(ACL) based approaches are a viable competing alternative.  However, I'm not
aware of any serious ACL based approaches that manage rights on a
process level (vs. a human or 'user' level).  Consequently I don't consider
them viable alternatives at this point.  If ACLs are dropped down to the
process level then their horrendous management/accounting barriers
become so clear as to keep them from being viable.

>Some researchers work on schemes that shoot for
>short- or medium- term impact by working within the dominant paradigm,
>and others work on long-range blue-sky research projects that aim to get
>larger benefits by replacing the paradigm with something radically new.
>I like to think there is plenty of room for both.

Surely there's room for both, but is there hope for both?  If I was to rate
hope for improvement for both short term and long term security/integrity
on a scale of 1-10 over the years it might look something like this:

                 1970    75      80      85      90      95      00      04

short term:          5    6       7       8       7       6       5       4
long term:           9    8       7       6       4       2       3       2

Of course others surely have other opinions on the numbers.  I'm pushing a bit
on this because I believe what has been going on for the last 15-25 years is
not going to result in any improvement in the long term area.  I believe we 
need
some sort of a paradigm shift.  As I mentioned I have some hope that defining a
rights communication mechanism across the network is one possible area where
there might be some hope (the Internet bubble of the late 90s added some hope
in this area for a time).  If such an interface could be put into place and
prove helpful I think there might be a chance for that interface to ultimately
be pushed down to the OS API.

I'd certainly like to hear from others who are more optimistic in this area 
than I am.
And of course I'd like to hear your reasoning and the direction you see 
hope coming
from (Alan Karp's virus safe non-capability POLA approach noted). 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20040921/fba3111e/attachment.htm

More information about the cap-talk mailing list