[cap-talk] Boebert attacks, capability review
Jed at Webstart
donnelley1 at webstart.com
Mon Jul 24 13:52:56 EDT 2006
At 09:35 AM 7/24/2006, Karp, Alan H wrote:
>Jed wrote:
> >
> > Having a rich capability sharing infrastructure was important to DVH
> > and I think should be for any capability implementation. I hope this
> > discovery doesn't make you think less of DVH - but perhaps rather
> > to think less of MLS - which I believe has very limited value.
>
>I agree on the limited value of MLS. I was only commenting on Boebert's
>explanation for why his attack succeeds.
By that I assume you mean:
"The attack is made possible by an inherent attribute of pure capability
systems: the right to exercise access carries with it the right to
propagate that access."
I see the above as nothing more than what we all know about
conspiring communicators. Unsaid in the above at the end is
"to those who can be communicated to".
I think some of the criticisms Boebert made in:
http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html
are right on. The paper, "On Access Checking in Capability-Based Systems":
http://www.webstart.com/papers/On_Access_Checking_in_Capability-Based_Systems.pdf
is a much more appropriate one to reference and to consider when
discussing the limitations of capability systems for access control.
As I mentioned in my private email to you, I think it's time to do a
thorough review of just what's possible with capability systems as
compared to just what's possible. Using a taxonomy like they
develop in the above paper seems to me a useful start.
As I also mentioned, I consider any sort of capability (or indeed other)
access control mechanism that can't be used at the network level
pretty useless (network discipline). Therefore I'd like to consider
something like the taxonomy in the above paper in the light of which
base facilities for building capability access control are available at
the network level and what the implications are for local (shared memory)
vs. network capability communication mechanisms. In doing so I'd
like to make clear any functional distinctions between capabilities as
data (which are necessary on a network, though not capabilities
as passwords) vs. capabilities as descriptors. I actually don't know of
any such distinctions, but if they're there I'd like to find and characterize
them. Much as it pains me, I think I also need to spend a bit more time
yet considering and writing about MLS mechanisms in the context of
capability communication systems. It might even be helpful to use a
taxonomy like that in the above paper to crank down on what is meant
by the phrase "object capabilities".
I'm certainly open to help if anybody is interested in reconsidering
capability communication broadly - specifically in the context of the
taxonomy in the above paper and with particular regard to what's
possible and not possible on networks.
> > Incidentally, was ABAC 3 (Tyler's) the last in the series or is there
> > another to look forward to (I did look back in the archive, but didn't
> > find an outline if one is there)? Any sort of summary or interaction?
> > Just curious.
>
>Marc Stiegler is speaking this Wednesday, but I don't believe there is
>any plan for a summary talk.
Do you know what the theme of Marc Stiegler's talk will be?
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list