[cap-talk] Throwing down the gauntlet

David Chizmadia (JHU) chiz at cs.jhu.edu
Sun Jan 8 21:49:46 EST 2006


Charles Landau wrote:
> At 2:12 PM +1300 1/9/06, John C. McCabe-Dansted wrote:
>>On Monday 09 January 2006 13:27, Charles Landau wrote:
>>>  >In the majority of situations, acknowledgements are needed for
>>>  > reliability, and to ensure correct ordering of operations. Omitting
>>>  > acknowledgements in order to satisfy the *-property is likely to
>>>  > introduce serious reliability and correctness problems.
>>>
>>  > The ability to acknowledge is not sufficient to proxy.
>>
>>Why not? Say A can send messages to B, and B can acknowledge them if it deems
>>them "valid".
>>
>>Surely A can collaborate with B to send an arbitrary message m backwards? E.g.
>> 1) A sends a continual stream of messages M_1,M_2,... to B.
>> 2) if the ith bit of M is 1, B sends the ith acknowledgement for M_i.
>> 3) if the ith bit of M is 0, B drops M_i.
> 
> If you can do that, you can violate the *-property. You and David 
> have just proven that no reliable, correct system can enforce the 
> *-property. Do you think you can convince Boebert that capability 
> systems are no worse than other systems, because neither can enforce 
> the *-property?

    Assuming that you're referring to me (rather than David Wagner), I 
did *not* prove that! At least not in the case of systems that have 
survived evaluation. In my previous message, I stated that the *- and
ss-properties are **only** with respect to the subjects being controlled
by those policies! In all evaluated (and consequently, marginally 
practical) systems, there are a set of *trusted* subjects that are 
allowed to work outside of the MAC policy. For the low-to-high write
and high-to-low read, a capability system would use a trusted proxy
(e.g., carefully constructed and scrutinized code) on each side of 
the communication to actually effect the tranfer. From the standpoint 
of the untrusted subjects, the action is one-way with no flow control 
or error correction. "Under the covers" you would have a standard IPC 
that provides as little indication of the action as possible!

> Really, acknowledgements are not a practical means of sending data.

    Covert channels never are - unless they are the only means available
to the sender...

-DMC



More information about the cap-talk mailing list