[cap-talk] Boebert's quote, Beobert attack on DVH, conspiring communicators

Karp, Alan H alan.karp at hp.com
Thu Jul 20 18:26:41 EDT 2006 

Jed wrote:
> 
> In terms of DVH, consider:
> 
> "low_object" is a c-list (later called a directory I believe, 
> but no matter.
> It's an object that can store capabilities.  It has insert or 
> write and fetch
> operations).  A RW_low_object capability allows both 
> insert/write and fetch
> operations to the c-list.  In Dennis and VanHorn as in any 
> capability as
> descriptor system (e.g. KeyKos, EROS, RATS, E, etc.) one can 
> store capabilities
> in some such c-list or directory object.
> 
My understanding of c-list systems is somewhat different.  At least the
one I built worked differently.  As I understand it, the c-list is a
data structure held by the kernel on behalf of a process.  Capabilities
can't be forged because the process has no way of saying to the kernel
"Here is a capability.  Insert it into my c-list."  If the c-list lived
in the process address space, other means would be needed to prevent
forging of capabilities.

A message carrying a capability sent to another process results in the
capability from the c-list of the sending process being inserted into
the c-list of the receiving process.  The sending process designates
what capability to send by specifying an index into its c-list.  The
recipient is told what index in its c-list contains the received
capability.  At no time does any process outside the kernel have access
to the capability.  The Bell-LaPadula model is supported by not
transferring write capabilities from Low to High or read capabilities
from High to Low.  (We did this somewhat differently in Client Utility,
but the effect was the same.) 

Perhaps Boebert would call this a modified capability system.  However,
I don't believe that's what he's describing.  He's quite explicit that
Low writes some data that High reads and can use as a capability.  The
key sentence is "The program places RW_low_object in low_object."  In a
c-list system, the Low process only gets an index into its c-list for
RW_low_object.  Hence, all it can put into low_object is that index.
That index is useless to High.

			(snip)
> 
> There is nothing relating to capabilities as data in the above.
> As far as I understand this attack succeeds or fails exactly the
> same in capabilities as data and capabilities as descriptor systems.
> 
There is indeed, the fact that a process is allowed to read an entry in
the c-list as data and put it into some object.  There is in the fact
that some other process can read that data from the object and turn it
into a capability.
> 
> As I argue above it does not.  It merely assumes that
> the rules for reading and writing capabilities follows
> along the lines of the rules for reading and writing data.
> Namely that capabilities also have classifications and that
> they are similarly constrained by the policies of no write
> down and no read up.
> 
I believe that's irrelevant to Boebert's argument.  He is clearly
talking about copying data from a c-list to some data structure that can
be read from another process and later inserted into that process's
c-list.

_________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories 
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20060720/8f01a1be/attachment.vcf

More information about the cap-talk mailing list