[cap-talk] RE: [e-lang] Threat model of capability-based systems

Julien Couvreur jcouv at microsoft.com
Wed Feb 23 19:36:33 EST 2005 

- "I have argued several times
that such a case study would have a lot of value. (...) we have to
remember that putting together such a case study is truly an *enormous*
amount of work."

I've been advocating the capability-security model here at work. But
some of the responses I got back made me want to try and get some more
concrete evidence. 
For example, one of our white hat hackers was intrigued by the paper I
wrote on the topic, but brought up some challenging questions about
low-level attacks (what if you manage to execute some instructions on
the CPU, within a process). 
There are also some questions about how manageable maintaining the
capability graph is in practice (or how easy is it for users to screw up
on a running system), but that requires a concrete implementation and
user study. I've read the papers from Ka Ping-Yee and others about
secure UI design, and I'm optimistic that these challenges can be
solved, but my good feelings are not necessarily convincing data points
for other people here ;-)


- "If you're not deeply familiar with x509/SSL certificates as they
are deployed today, the risks of PKI, SDSI/SPKI, and the like, it might
be easier to start by understanding these ideas in the software world"

I was only on e-lang, so I just joined cap-talk (and cross-posted this
email) and I'll check the archive too. Thanks for the pointer :-)
I'm pretty familiar with these, but am curious about possibly designing
the web to take advantage of capability discipline (with which ever
cryptographic algorithm or protocol needed), instead of the approach
which is closer to principals+ACLs. 
I can imagine a more secure web, using capability concepts, but it would
require browser support. I was wondering if other people have been
thinking about similar things.

Cheers,
Julien


-----Original Message-----
From: e-lang-bounces at mail.eros-os.org
[mailto:e-lang-bounces at mail.eros-os.org] On Behalf Of David Wagner
Sent: Wednesday, February 23, 2005 3:20 PM
To: e-lang at mail.eros-os.org
Subject: [e-lang] Threat model of capability-based systems

Julien Couvreur writes:
>Also, I'm still trying to get my head around the larger picture of
>capabilities. Some loosely connected questions:
>
>-          Is there a example design for a large system such as the
>desktop or an email application? A comparison threat model might be a
>good thing, comparing a current and a capability-enabled design.

No, I'm not aware of anything of comparable complexity to a
production-quality web browser or mail client that has been built on
E in the capability style.  I think having such an example could be
very useful at helping us evaluate the strengths and weaknesses of these
development methodologies, but we don't have such a case study right
now.
Right now, I think the closest we have may be systems like CapDesk and
Polaris, so you could look at those as a starting point.  Maybe others
will be able to suggest other examples as well.

If you read through old mailing list archives, you'll find that I seem
to
be the designated skeptic on this list, and I have argued several times
that such a case study would have a lot of value.  I'm often reluctant
to fully believe anything until I have seen reams of implementation
experience.  However, we have to remember that putting together such a
case study is truly an *enormous* amount of work.

>-          Could the concept of capabilities be used on the web (ex: an
>amazon cart access capability, a credit card capability,..)?

Yes.  If you're not deeply familiar with x509/SSL certificates as they
are deployed today, the risks of PKI, SDSI/SPKI, and the like, it might
be easier to start by understanding these ideas in the software world,
but there are some analogues in the world of public-key cryptography and
the web.  Look through old archives for this list and for the cap-talk
list for loads of discussion on this topic.  There is way too much to
repeat here.
_______________________________________________
e-lang mailing list
e-lang at mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang

More information about the cap-talk mailing list