[cap-talk] SCOLL : A Language for Safe Capability Based Collaboration

Mark Miller markm at cs.jhu.edu
Wed Jul 20 11:52:43 EDT 2005 

Fred Spiessens wrote:
> and at least have provided a reference to LP.

Good. But what is the LP calculus?


Saltzer and Schroeder wrote:
> Our discussion [...] rested on an unstated assumption: the principal that
> creates a file or other object in a computer system has unquestioned 
> authority to authorize access to it by other principals. [...] We may 
> characterize this control pattern as discretionary.

Fred Spiessens wrote:
> However, I think Saltzer & Schroeder's definition in not necessarily 
> defining capabilities to be mandatory.

In my note I was careful to avoid saying that by S&S's definitions caps are 
"mandatory". I merely said that, by their definitions, caps are "not 
discretionary". I have no idea what people think they mean when they say 
"mandatory".


> in my opinion, translating their definition would lead to :
> 
>  ... the subject has unquestioned (potential) authority to authorize 
> access to [it] by other subjects.
> 
> not:
> 
>  ... the subject has unquestioned (potential) authority to *impose* 
> access to [it] by other subjects.

I was indeed interpreting S&S according to your first translation above, so 
let's go with that. Caps are more restrictive than your first translation, and 
so are not discretionary. Let's rewrite with labeled subjects:

     Given that Alice creates Carol, then Alice has unquestioned potential
     authority to authorize access to Carol by Bob. We may characterize this
     control pattern as discretionary.

This property holds in ACL systems. Hence (using S&S's definitions) we should 
regard ACLs are discretionary. This property holds in some object-cap-like 
systems, such as cryptographic capability protocols or SPKI. Hence, we should 
regard them as discretionary.

But in DVH and other object-cap systems, If Alice does not have access to Bob, 
then Alice cannot [even potentially] authorize access to Carol by Bob. Hence 
object-cap systems are not discretionary. It is exactly this difference that 
explains how object-cap systems support confinement, and why cryptographic cap 
protocols cannot confine machines.

This is property F on the table on p13 of Myths Demolished 
<http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf>, and leads to the Delegation Myth 
listed in the same table.


Bottom line: I think the terms "discretionary" and "mandatory" are an 
irredeemable swamp of confusion, and we should all just avoid using these 
terms in all our papers.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list