[cap-talk] Comments on a paper - resource "claims"

Jed at Webstart donnelley1 at webstart.com
Wed Jul 6 13:46:05 EDT 2005


At 10:47 PM 7/5/2005, you wrote:
>Jed at Webstart wrote:
> >...LLNL...
>
>With all due respect,

I guess you must not think that much respect is in fact due ;-)

>it's doubtful that security developed for a
>hierarchical organization, full of trust third parties (bosses,
>systems administrators, etc.) is applicable to the Internet.

I find it amusing that you would form some sort of model
and opinion of the environment at LLNL that could be so
characterized ("full of trust third parties", etc.).

I don't believe the problems we were solving in the Livermore
networking environment were distinguishable from those faced
on the Internet.  We were on the Internet at the time (though
the networks were physically disconnected) and of course
I have considerable Internet experience since and ARPAnet
experience before.  I don't believe the environments differed
in any substantive way except for scale - which is likely
significant.

> > ... "claim" to share writable access to a file with more than one user.
> > Who has the "claim" to the storage?  I think one can argue that any
> > or none do.  It gets even more complex as the resource becomes less
> > physical and more logical - e.g. a directory (consider an insert only
> > capability to a directory shared among multiple users) or a database.
>
>There are a large class of these kinds of problems that can't be
>done securely across trust boundaries, at least not without
>fancy cryptography.

The statement above really puzzles me.  Do you have some sort of
framework or model in which you can demonstrate the truth of the above
statement?  By itself as above it doesn't make any sense to me.

> > ...I suggest the simpler approach of accounting for the costs
> > of the base resource and allowing access to it in any potentially
> > complex manner that seems desirable (e.g. DB table restrictions,
> > directory access controls, etc., etc.).  Any time the costs of the base
> > resource stop being paid for - the resource disappears, regardless of
> > the logical sharing at a higher level (consider processor resources in
> > this regard).
>
>Scarce objects are the most straightforward way to conserve the
>base resource across trust boundaries.

Amazing.  I would certainly find it interesting having a face to face
discussion about the above statements to see if we could at least get
to the point where we had enough common understanding of
a model and terminology that we could intelligently discuss it.

>But no known approach across trust
>boundaries solves problems like the two writers corrupting each other's data.

Perhaps with this statement we can at least use some common background
to probe what you mean by it.  Consider the Unix (or Windows for that matter)
file system.  One can certainly create situations in that file system where you
have files and/or directories that have multiple writers.  Of course in 
those cases
those multiple writers "can" corrupt either other's data.  That is exactly the
intent.  Each has the authority to, say, overwrite the entire file and/or 
directory.

When you say "no known approach across trust boundaries solves problems like
the two writers corrupting each other's data", what 'problems' are you 
referring to?
Of course if the intent was to keep the two writers data distinct they 
would only
be given access to distinct writable resources - e.g. files.  That solves 
the 'problem'
as I understand it.  Are you referring to a distinct problem?   One can of 
course create
much more complex situations - say an Oracle database with multiple readers and
writers and varied roles.  To me this is just a matter of deciding what is 
desired
in terms of authorities, but the underlying issue of resource utilization 
and any
'claims' on it seems to me a distinct issue.

At 08:44 AM 7/6/2005, Karp, Alan H wrote:
>Welcome back, Jed.

Thanks Alan.

>You wrote:
>
> >                 I believe the notion of a "claim" in resources such as
> > storage or processing is too fluid to be dealt with
> > effectively either as Alan hopes or as Nick suggests.
>
>I wasn't *hoping* anything.  I was reporting on SHARP, a decentralized
>resource allocation scheme proposed for PlanetLab.

This?:

http://www.cs.rutgers.edu/~tdnguyen/courses/papers/sosp-2003-fu-sharp.pdf

Is there a more focused reference that I should read?

>They found that many
>clients assigned resources never use them.  If there's no over
>allocation, resource utilization is around 60%.  Allowing claims to be
>generated for more resource than is available raises this figure
>considerably.  The trick is to get as much utilization as possible while
>rejecting as few claims as possible.  They report that allocating
>150%-200% is best.  My question to this list was about finding a more
>capability-like approach than the digital certificates they used.

I think I better back out of this discussion until I better understand
the model you are referring to.  Sorry for any potentially introduced
confusion.

--Jed http://www.webstart.com/jed/ 



More information about the cap-talk mailing list