[cap-talk] Google TechTalk lecture series, HP

Jed Donnelley jed at nersc.gov
Tue Jul 11 19:52:26 EDT 2006 

At 06:27 PM 7/8/2006, Nigel Williams wrote:
>Found this, firstly featuring Alan Karp:
>
><http://video.google.com/videoplay?docid=-7179100659758053865>http://video.google.com/videoplay?docid=-7179100659758053865
>
>over the next three weeks Mark Miller, Tyler Close, and Mark Stiegler.
>
>cheers,
>nigel.

Interesting.  Why is it that we didn't hear about these presentations
from the speakers (Alan?)?

If folks don't mind I'll make some comments on the talks as I
view them.  First on Alan's.  Of course let me preface this
by stating what I hope it's obvious that I'm quite supportive
of this basic POLA approach and generally the sorts of
mechanisms that Alan and the others at HP are using.

1.  05:40: "This approach <POLA> has been used many
times in the past and it has always failed."

The above statement is SO untrue.  It is at least overly
broad.  I believe Alan is referring to ACL based systems
(e.g. the recent SELinux).  Sure, combining designation with
authorization is a good idea, but it's always been a good
idea and it has always been present in capability based
systems (of whatever stripe) and it has always succeeded
(not failed!).  It has simply been essentially ignored.  Not
needed enough to draw it out of obscurity.  Once the first
generation of OSs got rolling (Tenex, VMS, Unix, and
ultimately NT), they just carried their ambient authority
model with them.  No need to change a dominant market
paradigm, just go with the flow - despite it's huge architectural
failing, a failing that only shows up when effective security
(e.g. protection against malware) is needed many years later.
By that time the model is established in spades an pretty
much immovable.

Please (!) don't bundle all the historical capability efforts
into "always failed" along with the ACL models.  I never
got a popup dialog in any of the capability systems that
I worked on.   There were no such out of band security
decisions, etc.  Designation and authorization were always
combined (just like with "webkey"s, exactly like "webkeys"),
so please don't suggest that they weren't and that combining
designation and authorization are a new discovery.

You can argue if you like that the combining of designation
and authorization in GUIs is novel to Mark Miller and the work
at HP.  I won't dispute that, but please (!) don't distance yourself
from the history of capability system developments ("it always
failed").

"Web keys": combining Web services with no glue code?
No mention that these "web keys" are exactly what is
needed to combine designation with authorization
ON THE WEB! <Internet>??!

Sad Tale of Zebra Copy and ABAC.  Good example, and I
think it helps get the base point across.  A couple of comments.

You say that revocation is easy, but there's no suggestion
as to why revocation is easier with ABAC vs. IBAC.  I believe
you should mention that the bundles (designation and authorization)
can be easily (simple record keeping, like creating a new file)
reissued with different authorization (e.g. less authority,
or a note about Carol's use vs. Bob's use).  That is, Bob can
give Carol a new authority, derived from one of Bob's fine
authorities, that is just for her use.  It's that Carol authority
derived from Bob's that can be revoked - by Bob.

I think we see the same picture here (if not, please let
me know), but in the presentation your claim (that revocation
is easy with ABAC) sounds vacuous.

Excel example  under Polaris (41:37 - needless to say
those failures are very bad news for the reputation of Polaris).
Suggests that these (POLA) are good principles, but
impractical.  The virus decided to die?  It appears that it's
Polaris that decided to die.  Is the virus something you
wrote?  Too bad that happened in this situation.

The comment about "acts of designation available to
the user but not to the virus" I like.

Regarding the "We do the best we can with Polaris"
and the attack of trying to get a user to run outside
Polaris.  I think that would be a good time to tie back
to the Solitaire program and how it can run with only
the authority it needs.

Note on the Polaris name (at the end) - like it.  I hadn't
heard that before.

Very end - "mutable static state"?  Did you mean "mutable
global state"?  "mutable static" sounds like an oxymoron.

That talk was on the 5th?  My birthday.  I hope you had as
much fun that day as I did Alan... 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20060711/4a777d72/attachment.html

More information about the cap-talk mailing list