[cap-talk] Capabilities in Livermore and OS frustration

Jed at Webstart donnelley1 at webstart.com
Wed May 11 13:30:13 EDT 2005 

At 07:57 PM 5/6/2005, Charles Landau wrote:
>>I'll have to admit that it was somewhat discouraging for me to write up 
>>that history.
>>Perhaps it showed through.  What frustrates me most is that I see and 
>>feel to my core
>>the value for computing/humans in general of POLA and the natural way 
>>capabilities (or
>>whatever one might call manipulable/communicable authority tokens) can 
>>realize
>>that value.  Yet despite that, I don't see how I could have done anything 
>>differently back
>>then nor do I see what I can do now to get that value into the main stream.
>
>I too have realized that it isn't easy. I'm working on CapROS (formerly 
>EROS) because the only model I have seen for getting a new operating 
>system adopted is to write it all from scratch and make it free. In 1984 
>Richard Stallman began doing that, and 21 years later, Gnu/Linux is 
>getting serious attention.

Good luck with the above Charlie.  I hope your're around to see some payoff 
(in other words, live long and prosper!)!

One thing I will note, however, is that Gnu/Linux was able to start getting 
serious attention only
because it supported the base Unix API.  No doubt you are aware of 
Stallman's writing on this
topic.  How do you imagine getting a significant set of widely valued 
applications running on
CapROS?  Do you intend to supply some sort of compatibility library?  If 
so, how do you believe
the underlying capability flexibility (specifically POLA) will show through 
any such library?

That is the fundamental difficulty that I see.  I'd be interested to hear 
any idea that you or others
may have for surmounting that (to me) apparent obstacle.

Regarding:

At 05:15 AM 5/7/2005, Michael Berg wrote:
>E.g. even though I know this is not a pure capability system and they're
>lacking quite some things which are considered on these kinds of mailing
>lists as very (or most) important (as POLA), the people from Symbian
>(www.symbian.com) have moved towards a capability mechanisms to secure
>their mobile operating system. (in Symbian OS v9 - see for instance
>http://www.symbian.com/developer/techlib/papers/plat_sec_tech_overview/platform_security_a_technical_overview_v1.0.pdf).

I found some interesting reading in the above.  I will note that to me POLA 
is essentially
the whole game with regard to "capabilities".  That is, I don't much care 
what you call
the tokens of authorization or even to some extent how they are manipulated 
(though
of course they require enough flexibility to make them practical), but they 
need to
support POLA to be relevant in any sense - IMHO.

Here is where the discussion of Symbian starts to concern me and to me seems
to be deviating for any workable "capability" scheme:

"Code that needs to access capability-protected functionality must go through
the process of authorisation, in order to gain the privilege of using a 
capability.
Once this has been successfully completed, the code is considered authorised
for that capability. Authorising a capability effectively confirms that the 
code is
trustworthy enough to use the functionality protected by that capability."

If you read on you see that what they mean by "authorization" is essentially
human user authorization.  That is, asking the human user for the authority to
exercise a "capability":

"...but where authorisation may be performed by the user..."

In my opinion this approach is so unworkable as to be hardly recognizable 
in any
sense as a "capability" mechanism.  The essence of any "capability" 
mechanism is (IMHO)
that it allow IPC communication of authority tokens.  This is not true of 
the "capability"
mechanism in Symian.

Of course you could argue that even the use of the term "capability" and 
the general
notion of managing authorities is a step in the right direction.  I don't 
agree with that
position.  If the direction you step in is into a swamp (as I see such 
human/user
authorized "capabilities") then you can very well be making the situation 
worse and
at the same time confusing things (including the terminology) for others.

I believe the base problem that we have is that the IT culture is not aware 
of and
is not taught POLA and communicable authorities as base values that include
common terminology, interfaces, implementation approaches etc.  Until we get
there I believe mechanisms like that in Symbian calling themselves 
"capabilities"
(Linux "capabilities" is another example) will continue to crop up and 
muddy the
waters.

As I've mentioned before I do see some hope that beginning to share authorities
across the Internet with something like YURLs may make the value of such POLA
sharing clear and that it may ultimately percolate down to the OS 
level.  However,
I haven't seen any suggestion that anything POLA is developing at the OS 
level in any
effective (capable of spreading) way.

--Jed http://www.webstart.com/jed/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20050511/4dfe729e/attachment.html

More information about the cap-talk mailing list