[cap-talk] "On the Inability of an Unmodified Capability Machine to Enforce the *-Property"

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Wed Jul 19 15:59:17 EDT 2006 

Mark Miller wrote:
> On 7/19/06, Karp, Alan H <alan.karp at hp.com> wrote:
> 
>>>http://www.erights.org/elib/capability/duals/boebert.html
>>
>>which led me to re-read the paper.  The incompleteness of Boebert's
>>analysis is made clear in the first sentence of his conclusions.
>>
>>'The attack is made possible by an inherent attribute of pure capability
>>systems:  the right to exercise access carries with it the right to
>>propagate that access.'
>>
>>That is not the reason the attack is possible.  DVH has this property
>>but is not subject to Boebert's attack, even though that's the paper
>>Boebert cites.
> 
> Alan & I just talked about it, but for the record...
> 
> DVH does *not* have this property. In DVH, if Alice has access to
> Carol, Alice can only propagate this right to Bob if Alice also has
> access to Bob. While I agree with Alan that this propagation issue
> doesn't account for Boebert's error, it does account for the error
> repeatedly read in to Boebert's paper - that capabilities cannot do
> confinement.

Another error is that the title oversimplifies the formal conclusions;
it is incorrect in saying that a caps-as-data system cannot enforce the
*-property. In "CONCLUDING OBSERVATIONS", Boebert says:

# The attack can be stopped only if both reading and writing are
# restricted to cases where clearance equals classification, which is
# of course the trivial case of no flow whatsoever.

But "no flow whatsoever", i.e. a strict isolation property, does enforce
the *-property. (The point is not that strict isolation is useful, but
that the conclusion of Boebert's argument is misstated in the title, even
ignoring other mistaken assumptions.)

Also, the "only if" in the above quotation should be an "if". The *only*
policies considered by Boebert are:

  ss-property + *-property
  ss-property + *-property + "no write up"

He then asserts *without justification* that the conclusion holds for all
policies except strict isolation.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list