[cap-talk] Communicating conspirators, MLS, and the Boebert attack

[Jed at Webstart]

At 05:12 PM 7/20/2006, Karp, Alan H wrote:
>Jed wrote:
> >
> > But then how does communication happen between the levels?
> > Can you point to a system where that works?
>
>NetTop with the sailor manually declassifying data by copying it from
>the High machine to the Low one.

Ha!   That seems to be what it always comes down to, doesn't it?

>...
>There is a way to insert a capability into a c-list, but it isn't
>"Insert these bits as a capability."
>...

>While there are systems that let processes have explicit capabilities to
>the c-list (CU was one of them, but that's where our other mechanism
>came in), I don't believe that's necessary.  Simply send the capability
>in a message to the process.  Processes never explicitly refer to
>c-lists.

>If DVH did have such capabilities, then Boebert's analysis is correct.
>Low writes a capability to a c-list that High can read.  I didn't think
>that was the case.  If it is, then I misunderstood DVH, Boebert's
>analysis does apply, and this whole discussion has been a waste of time.
>My Bad.

DVH could store capabilities in c-lists and also store them
and fetch them from what the paper referred to as "directories":

"a directory consists of a collection of capabilities"

(from DVH pg. 151, just above "Directories and Naming").
Such directories showed up in the PDP-1 system and
in RATS.  One could store capabilities into them and
fetch capabilities from them.

It's kind of difficult for me to imagine a capability system
without some such facility.  Do I understand you to be
arguing, Alan, that it's such a facility that gives rise to
the applicability of the Boebert attack?  Do you imagine
some sort of more pure capability system in which there
is no means (perhaps other than direct messages??) for
storing capabilities?  I don't think even that makes any
difference for Boebert, but I'd be interested to learn of
such systems.

--Jed http://www.webstart.com/jed/