[cap-talk] ACLs: why not have them IN ADDITION to capabilities

[Chip Morningstar]

MarcS writes:
>Having multiple security mechanisms is necessarily more complicated. It
>makes life for the user more complicated, it makes life for the analyst
>trying to figure out the real security claims more difficult. The only
>participant who benefits from complexity is the attacker, who can
>gleefully look in all the nooks and crannies hoping to find a place
>where the multiple security systems didn't quite interlock correctly. A
>terrific place to look for non-interlock is in those places where the
>security overlaps so badly that the actual users trying to get some work
>done will shut off one, or even beter, both, systems.

People often intuit that having multiple security mechanisms is like having
more bricks in a wall: the thicker the wall, the more resistant to attack it
is.  I think this analogy, though appealing, is misleading.

I prefer instead to make the analogy to resistors in an electrical circuit:
security barriers are like resistors that impede the ability of an attacker to
get into things.  Since the vulnerabilities of different mechanisms tend to be
relatively independent of each other, having multiple security mechanisms is
like wiring resistors in parallel -- because it potentially presents multiple
attack pathways, it reduces the overall resistance of the circuit.  Object
capability patterns are like wiring the resistors in series: the barriers are
additive, since getting past one barrier only presents you with the next
barrier.

Chip