[cap-talk] Throwing down the gauntlet
David Chizmadia (JHU)
chiz at cs.jhu.edu
Sun Jan 8 21:49:46 EST 2006
Charles Landau wrote:
> At 2:12 PM +1300 1/9/06, John C. McCabe-Dansted wrote:
>>On Monday 09 January 2006 13:27, Charles Landau wrote:
>>> >In the majority of situations, acknowledgements are needed for
>>> > reliability, and to ensure correct ordering of operations. Omitting
>>> > acknowledgements in order to satisfy the *-property is likely to
>>> > introduce serious reliability and correctness problems.
>> > The ability to acknowledge is not sufficient to proxy.
>>Why not? Say A can send messages to B, and B can acknowledge them if it deems
>>Surely A can collaborate with B to send an arbitrary message m backwards? E.g.
>> 1) A sends a continual stream of messages M_1,M_2,... to B.
>> 2) if the ith bit of M is 1, B sends the ith acknowledgement for M_i.
>> 3) if the ith bit of M is 0, B drops M_i.
> If you can do that, you can violate the *-property. You and David
> have just proven that no reliable, correct system can enforce the
> *-property. Do you think you can convince Boebert that capability
> systems are no worse than other systems, because neither can enforce
> the *-property?
Assuming that you're referring to me (rather than David Wagner), I
did *not* prove that! At least not in the case of systems that have
survived evaluation. In my previous message, I stated that the *- and
ss-properties are **only** with respect to the subjects being controlled
by those policies! In all evaluated (and consequently, marginally
practical) systems, there are a set of *trusted* subjects that are
allowed to work outside of the MAC policy. For the low-to-high write
and high-to-low read, a capability system would use a trusted proxy
(e.g., carefully constructed and scrutinized code) on each side of
the communication to actually effect the tranfer. From the standpoint
of the untrusted subjects, the action is one-way with no flow control
or error correction. "Under the covers" you would have a standard IPC
that provides as little indication of the action as possible!
> Really, acknowledgements are not a practical means of sending data.
Covert channels never are - unless they are the only means available
to the sender...
More information about the cap-talk