[cap-talk] communication and capabilities
Mark S. Miller
markm at cs.jhu.edu
Mon Jul 17 00:03:20 EDT 2006
David Hopwood wrote:
> John Carlson wrote:
>> One issue I have with capability systems is that they seem to assume
>> that the communication path between objects is secure.
>
> They don't assume that; the concept of a capability system explicitly
> requires it. That is, whatever protocol layer is responsible for securing
> the communication path between objects is considered to be part of the
> capability system "kernel".
Yes. However, here is an interesting gedanken experiment:
Imagine an objcap system, whether an objcap OS like DVH, KeyKOS, EROS or an
objcap language like E. Now, break the above guarantee by providing a global
ambient primitive that allows any object to unconditionally read any physical
memory location. In such a system, no object can any longer keep any secrets,
and there is effectively an uncontrolled bit channel from any stateful object
to every other object that wants to listen. Confinement can no longer be
distinguished from CC. This scenario is an extreme version of "assume we can't
plug covert channels". Even in this hypothetical system, all the normal
capability controls on what an object can *do* still apply. This is very
similar to the abstraction of authority used by the Joe-E project for
reasoning about authority.
Similar but different: A SPKI-like certificate-based capability system
requires only signed messages, not encrypted messages. Each participant needs
a private key which stays secret, but no secrets ever need to be communicated.
An eavesdropper can see what everyone is saying to each other, but does not
obtain from this any illegitimate ability to *do* anything.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list