[cap-talk] Confinement Confusion (was: Communicating conspirators)

Mon Jul 17 23:48:29 EDT 2006

Mark S. Miller wrote:

>Toby Murray wrote:
>  
>
>>It also seems to argue that Lampson's confinement and the *-property are 
>>the same.
>>    
>>
>
>They aren't. The paper is again confused. But this particular confusion seems 
>to be quite common. In particular, Boebert's paper is often misquoted as 
>claiming that capabilities cannot do confinement, when in fact it only argues 
>that they cannot do the * properties.
>
>  
>
CapMyths appears to try very hard to not confuse the two issues of 
*-property and confinement but even it manages to introduce a tiny bit 
of overlap. It definitely makes the distinction between confinement and 
the *-property at first. It talks about confinement when dealing with 
"the confinement myth" and then taks about the *-proeprty when 
discussing the origins of the confinement myth. However, in doing so,, 
it refers to the simple security property and the *-property as "the two 
confinement rules".

Thus, it looks to me that *-property and confinement are inherently 
tangled in the minds of many in the community. If anyone out there could 
give some history on this I'd certainly be interested to hear it.

Also, the "confinement" term has also been used in the context of 
criticising unrestricted delegation. In this instance it has been used 
when talking about the "capability confinement problem" in 
http://www2.cs.uregina.ca/~pwlfong/Pub/esorics2006.pdf and the 
"confinement of privileges (cite Lampson)" in Wallach. et. al.'s 
"Extensible Security Arch. for Java".

There appears to be 3 different criticisms of capability systems, all of 
which have been stated as the difficulty to achieve some form of 
"confinement" and all appear to have been defined in different papers by 
citing Lampson's original "A Note on the confinement problem".

1. We have Lampson confinement, which I believe can be achieved in an 
(object)-capability system by using the Factory pattern (of Norm Hardy).

2. We have the *-property. This criticism was levelled by Boebert and 
refuted for object-capability systems in "Capability Myths Demolished". 
Halevi, Karget. et. al. ""Enforcing Confinement in Distributed Storage 
and a Cryptographic Model for Access Control" repeats Boebert's 
criticism, citing Lampson for the definitions of confinement (when they 
are really talking about the *-property).

3. We have the inability to restrict delegation. This criticism is 
levelled by Wallach. et. al in "Extensible Security Architectures for 
Java", who cite Lampson when levelling it too, referring to the 
inability to restrict the "confinement of privileges".

Karget's work also argues that we need to restricted delegation in order 
to achieve "confinement" (the *-property). It cites Boebert here 
erroneously I think because  Boebert's argument doesn't rely on 
unrestricted delegation but instead relies upon having no distinction 
between caps and data.

Of course that most recent Halevi. Karger. et. al paper also models 
confinement using "probabilistic non-interference". Given the huge 
number of different variations on non-interference, I feel this only 
further confuses things.

Confused indeed :)  I sure am.

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.