[cap-talk] Boebert attacks, capability review
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Mon Jul 24 13:13:12 EDT 2006
Jed at Webstart wrote:
> At 09:35 AM 7/24/2006, Karp, Alan H wrote:
>>Jed wrote:
>>
>>>Having a rich capability sharing infrastructure was important to DVH
>>>and I think should be for any capability implementation. I hope this
>>>discovery doesn't make you think less of DVH - but perhaps rather
>>>to think less of MLS - which I believe has very limited value.
>>
>>I agree on the limited value of MLS. I was only commenting on Boebert's
>>explanation for why his attack succeeds.
>
> By that I assume you mean:
>
> "The attack is made possible by an inherent attribute of pure capability
> systems: the right to exercise access carries with it the right to
> propagate that access."
>
> I see the above as nothing more than what we all know about
> conspiring communicators. Unsaid in the above at the end is
> "to those who can be communicated to".
>
> I think some of the criticisms Boebert made in:
>
> http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html
>
> are right on. The paper, "On Access Checking in Capability-Based Systems":
>
> http://www.webstart.com/papers/On_Access_Checking_in_Capability-Based_Systems.pdf
>
> is a much more appropriate one to reference and to consider when
> discussing the limitations of capability systems for access control.
This paper is better than the Boebert paper in at least stating its
assumptions, but it's still plain wrong. "bxxaab" systems can enforce the
*-property. Indeed, most object capability systems are "bxxaab" (the 'a's
mean that access rights are not changed on copying or preparing capabilities).
For example, EROS is such a system, and it can enforce confinement; using
confinement it could also enforce the *-property, if anyone wanted that.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list