[cap-talk] Boebert's quote

Toby Murray toby.murray at dsto.defence.gov.au
Wed Jul 19 20:35:54 EDT 2006 

Mark Miller wrote:

>On 7/19/06, Karp, Alan H <alan.karp at hp.com> wrote:
>  
>
>>
>>The incompleteness of Boebert's
>>analysis is made clear in the first sentence of his conclusions.
>>
>>'The attack is made possible by an inherent attribute of pure capability
>>systems:  the right to exercise access carries with it the right to
>>propagate that access.'
>>
>>That is not the reason the attack is possible.  DVH has this property
>>but is not subject to Boebert's attack, even though that's the paper
>>Boebert cites.
>>    
>>
>
>Alan & I just talked about it, but for the record...
>
>
>DVH does *not* have this property. In DVH, if Alice has access to
>Carol, Alice can only propagate this right to Bob if Alice also has
>access to Bob. 
>
I think we need to be a bit more precise about how we're interpreting 
Boebert's quote:

'The attack is made possible by an inherent attribute of pure capability
systems:  the right to exercise access carries with it the right to
propagate that access.'

I'm presuming here that Mark and Alan are interpreting the quote as meaning:
'... the right to exercise access carries with it the right to propagate that access [to anyone]'

But I think it might be quite natural to also interpret it as
'... the right to exercise access carries with it the right to [try to] propagate that access [to anyone to whom one possesses a capability]'

(I say "try to" because, as Fred points out, the invoked party may choose to ignore the cap that's being delegated, in which case no real delegation has occured).

DVH does have the second property, but not the first; hence, confinement is possible in DVH.  

The problem is that Boebert's quote is ambiguous. Depending on how one interprets its meaning, we can draw different conclusions about its correctness and applicability. 



-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list