[cap-talk] Communicating conspirators

Mark S. Miller markm at cs.jhu.edu
Mon Jul 17 05:35:58 EDT 2006 

Toby Murray wrote:
> An interesting thing about this paper is that it seems to argue that 
> EROS achieves confinement by limiting delegation. I had thought EROS 
> achieved confinement by limiting the capabilties that a confined process 
> holds, thereby limiting the other objects to whom it can delegate.

Your understanding is correct. The paper is wrong.


> It also seems to argue that Lampson's confinement and the *-property are 
> the same.

They aren't. The paper is again confused. But this particular confusion seems 
to be quite common. In particular, Boebert's paper is often misquoted as 
claiming that capabilities cannot do confinement, when in fact it only argues 
that they cannot do the * properties.


> I wasn't aware of that before, is this generally accepted? I 
> can see how Lampson's confinement allows one to enforce the *-property 

Confinement is necessary but not sufficient for the *-properties. For example, 
  a hypothetical caps-as-data system without covert channels, in which full 
isolation could be provided, would be able to do confinement but still not the 
*-properties.


> but I wasn't aware they were considered equivalent. Can one have the 
> *-property without Lampson confinement, for example? Or are both terms 
> used generally to refer to the ability to construct one-way data 
> channels between objects?

Confinement has nothing to do with one-way data channels. The *-properties 
have everything to with them.


> I personally see Boebert's claim that the *-property cannot be enforced 
> in a "pure cap system" the same as the HRU result that safety is 
> generally undecidable. That is, it's true if you have a weak enough 
> system, (such as a pure caps-as-data system), but doesn't apply to all 
> real systems of interest (such as EROS or E) in which data and 
> capabilities can be distinguished. It's interesting that they cite DVH 
> as an example in which the *-property cannot be enforced. This is in 
> stark contrast with CapMyths which argues that DVH is equivalent to the 
> object-capability model, not the weak model used by Boebert etc. in 
> which capabilities and data are not distinguished.

In DVH, caps and data were quite distinguishable.


> It's interesting to revisit the arguments in CapMyths in light of Karger 
> et. al's assertion that EROS achieves "confinement" (the *-property) by 
> limiting delegation. Briefly, as to my understanding, in CapMyths, its 
> shown that we can of course enforce the *-property using nothing but 
> pure capabilities so long as there is a distinction between capabilities 
> and data, such that we can build a one-way communication channel that 
> only allows data to flow and not capabilities. One could argue that in 
> this setting we have "restricted delegation" because one cannot pass 
> caps over this channel so one cannot delegate. Perhaps it is in this 
> vein that Karger et. al. are thinking when they say that EROS achieves 
> the *-property by limiting delegation.

Perhaps. But they also say that EROS achieves confinement by limiting 
delegation, which is an even bigger stretch.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list