[cap-talk] MLS, Beobert attack on capabilities
david.nospam.hopwood at blueyonder.co.uk
Thu Jul 20 22:31:25 EDT 2006
Jed at Webstart wrote:
> At 02:23 PM 7/20/2006, Eric Jacobs wrote:
>>...I agree that the "capabilities-as-data" and "capabilities-as-bits"
>>metaphors are misleading here. All capabilities are representable as
>>binary data in form of bits (at least, to the extent that our discussion
>>is limited to digital computing systems.)
>>The key issue is not whether the capabilities are data but whether the
>>representation of those capabilities occurs in a local or global
>>namespace. If Alice's representation...
> Let me try to cut to the quick on this. Translation between
> the two above is easy.
> Suppose I have a capabilities as descriptor system - e.g. DVH.
> I then make a capabilities as passwords (Swiss number) proxy
> for such capabilities. I don't want to do the gory details, but
> basically you pass in a capability as a descriptor and it sends
> you back a password capability that you can send around.
> Anybody with the password capability can invoke it through
> the proxy which has a widely distributed descriptor type
> capability available (haven't we been here before?).
> I argue that you can start with a DVH type system, even
> with any sort of oracle controlled MLS policy enforcement,
> and anybody can construct such a proxy server.
In the solution described in the Capability Myths paper, no single
proxy server would be available to both low and high levels. It
doesn't matter if each level is able to construct an independent
one, since they won't accept each other's passwords.
[Arrgh, why are we even discussing this? No-one wants MLS.]
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk