[cap-talk] Subject based service denial - not with capabilities

[David Hopwood]

Jed at Webstart wrote:
> My last message defending capabilities from Mark Miller's:
> 
> http://www.erights.org/elib/capability/conspire.html#revokability
> 
> got me to thinking a bit about a situation that's fairly common in 
> today's computer security environment.  Namely the attempts to limit 
> access authorities based on past actions by the subject.  For example, 
> if an intrusion detection system notices any of a variety of attacks 
> (e.g. dictionary attack, denial of service attack, explicit flaw 
> exploitation attacks, etc., etc.) a common response is to block 
> communication *from* the source of the attack (e.g. IP address).
> 
> This sort of effort at protection has always seemed a bit futile to me.  
> Any serious attack effort can simply pick up another IP address and 
> attack again.  Also, any source address blockage may well turn into an 
> unwanted hindrance if/when the attacker is no longer using the original 
> source IP address.  Still, it does seem clear that any such effort to 
> limit authorities based on the source of a message (e.g. based on past 
> behavior) fall outside the scope of communication of authorities as 
> capability "tokens".  Namely it's a situation where authority limits are 
> based on the behavior of a subject/source.
> 
> Does this example constitute a case of computer authority management 
> that can't be effectively done with capabilities?

If source blocking is in fact futile (as I agree that it is), then
does this matter?

If an intrusion detection system could reliably detect misuse of a
given capability, it could revoke it. Provided that different capabilities
are given out to different principals in order to allow separate
revocation, this would work as well as could be expected (that is,
not very well, with problems due to false positives possibly outweighing
any benefit).

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>