[cap-talk] - Bellizzomi - Capabilities and Shapiro's focus, Coyotos, etc.
Jonathan S. Shapiro
shap at eros-os.com
Fri Dec 1 10:42:54 CST 2006
On Thu, 2006-11-30 at 18:39 -0800, Jed at Webstart wrote:
> OK, with that as background I'm swung over to at least accepting that
> the object/capability paradigm (at least POLA in some form) can contribute
> significantly to dealing with covert channels...
I think there may be a more important aspect to capabilities, but I'm
expressing a half-baked idea.
First, a radical statement: all covert channels are authorized. This is
not a supposition. This is true because we can see in a capability
system that every single instruction execution can be modeled as the
wielding of an authorized capability. It follows of necessity that
unintended side effects from these operations are unintended, but not
unauthorized.
So to understand covert channels, I think we need to model them as
resulting from operations on insufficiently reified resources. The big
ones all seem to result from exploiting the behavior of multiplexing
points within the system. That is: resource cross-talk.
The advantage to capabilities, in this context, is that at least these
resources are indirectly designated. For example, we can trace every
invocation in the EROS kernel and say every subsystem and every
multiplexing point that it touches.
I have the weak sense that this is an advantage for capability systems
insofar as it helps us chase down and discover the weak points.
One can do similar tracing in other systems, but the presence of ambient
authority makes it less feasible to associate the culprits with the de
facto authorities.
> Once you have overt confinement then it
> seems you have the tools you need to address deafening processes
> by limiting their permissions to those that only allow deterministic
> execution...
The problem with this in practice is that deterministic execution is
impossibly slow. Execution in E is only deterministic in the local
(intra-vat) view. It remains non-deterministic in the inter-vat view,
and non-trivial computations expressed in E may reasonably be expected
to exploit multiple vats for the sake of concurrency.
Given which, I think we want to be a little careful about holding out
determinism as an exit strategy. I *do* think that localizing and
narrowing the loci of non-determinism is a valuable step, but we should
recognize that what we have actually accomplished is this localization,
rather than the elimination of non-determinism.
shap
More information about the cap-talk
mailing list