[cap-talk] Communicating conspirators (Re: Second ABAC Google talk is now up)

Mark S. Miller markm at cs.jhu.edu
Sun Jul 16 23:23:49 EDT 2006 

Toby Murray wrote:
> [...] All involve the creation of a proxy that reduces the authority that's 
> given to Bob.
> 1. The proxy is "use once", in that it breaks its own link after being 
> invoked. This might work, depending on how Bob's "foo" operation is 
> implemented.
> 2. The proxy only proxies those methods of Carol that Bob needs to call 
> during his "foo" operation.
> 3. The proxy is an instance of Redell's Caretaker. We call its "revoke" 
> method after calling bob.foo(carol).
> 
> Each solution is probably valid in different cases, depending on the 
> original motivation for only wanting Bob to have access to Carol during 
> the "foo" operation.

Yes. Fortunately, all are easily implementable in E and several other objcap 
languages.

Norm Hardy has mentioned a distinction between foreseen and unforeseen 
authority attenuators. When an abstraction exports a method for obtaining a 
reduced authority facet on itself (such as asking a File capability for a 
read-only facet on itself), this is an attenuation of authority that was 
foreseen by the abstraction's designer. When a filtering facet (such as a 
Caretaker) is placed in front of an abstraction, this is an attenuation of 
authority that the abstraction's designer did not need to foresee.

All three of the attenuators you list can be foreseen or unforeseen. I mention 
this because often the form of revocation that's desired is not as leaky as 
the Caretaker and not as absolute as the membrane. Some of the revocation 
interfaces in the E libraries, such as TextWriter, are exported by the 
abstraction in question. The precise statement of what they revoke when is 
designed along with the abstraction in question.

On the one hand, building in such custom foreseen revocability results in a 
less well factored system - similar revocation logic is repeated within each 
such abstraction. OTOH, such custom revocation logic may fit better than 
composition with a generic solution. This is similar to tensions that come up 
with many normal, non-security-oriented, object design patterns.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list