[cap-talk] Boebert's quote, Beobert attack on DVH, conspiring communicators
Jed at Webstart
donnelley1 at webstart.com
Thu Jul 20 20:54:24 EDT 2006
At 03:43 PM 7/20/2006, Ka-Ping Yee wrote:
>...So it comes down to whether the system consideres mere possession of the
>bits of the capability is sufficient to wield the capability.
I'm afraid I don't understand what the "it" is that comes down to whether
the mere possession of the bits of a capability is sufficient to wield the
capability.
Consider, for example, the mechanism in:
http://www.webstart.com/jed/papers/Managing-Domains/#s13
In that mechanism every process is assumed to possess a private
key and all processes are assumed to be able to access the public
keys of the others. In that scheme capabilities are bits that are
transformed whenever they move from an internal form into a
form for communication to another process. In the internal form
they are only usable with access to the private key of the process
they are in. When in a buffer they are only usable by the process
they are being sent to. Interestingly in that mechanism in the
memory of the server process they show up in clear text - which
is available to any other process (though doesn't constitute a
permission in that form).
Such a mechanism protects capabilities from theft (e.g. from
a dump of a process). However, I don't see what effect such a
mechanism or even simpler password capabilities (e.g. YURLs)
has on the Boebert attack (as I describe in my other messages).
There are very few steps in the Boebert attack. As I've suggested,
all of them can happen in a DVH style, pure descriptor based
capability system. It's something else that causes the problem.
I've described what I believe it is (communication between levels,
however provided).
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list