[cap-talk] Boebert attacks, capability review

Mark Miller erights at gmail.com
Mon Jul 24 18:24:05 EDT 2006 

On 7/24/06, Jed at Webstart <donnelley1 at webstart.com> wrote:
> I think some of the criticisms Boebert made in:
>
> http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html
>
> are right on.

Which ones? (It would be unproductive for me to respond simply to
"some criticisms" ;).)

In light of this thread, I've reread Boebert's "On the Inability"
paper, our own CapMyths, and some relevant sections of DVH. AFAICT,
our answer to Boebert's "Inability..." in CapMyths my thesis are
correct, and could have been implemented in DVH. Note: "Alice" in
CapMyths corresponds to "Q" in my thesis, and "Bob" corresponds to
"Bond". The two segments in the middle of Figure 10 in CapMyths has
been simplified to the data diode of my thesis. Even though I prefer
the treatment in my thesis (it's simpler and more concrete), I'll
stick to the presentation in CapMyths since that's the one Boebert and
you are responding to.

DVH had data segments, and read-only vs read-write capabilities to
data segments. This is adequate to directly implement the segment in
the middle of the lower row of Figure 10 of CapMyths: The Oracle would
give Bob a read-only capability to that segment, and give Alice a
read-write capability to the same segment. The arrows in this part of
Figure 10 can simply be DVH permissions.

DVH does not seem to have provided a write-only capability to data
segments. Therefore, the Oracle would instead provide Alice with
write-only authority to the middle segment of the upper row, by
interposing an intermediate process (serving the same purpose as the
writeDiode function in my thesis). Alice would have permission to ask
this writeDiode process to write data, and the writeDiode process,
which has read-write permission to the segment itself, would write the
data there.

Boebert's mistake was to assume that the Oracle, in order to enable
cross-level communication, would need to give out permissions to
c-lists/directories, i.e., memory units able to hold capabilities
rather than data. Boebert's attack is prevented simply by having the
Oracle only give out cross-level access to segments, which can store
only data, not capabilities. If DVH had write-only capabilities to
segments, this *all* could have been done directly, simply, using only
permissions corrresponding to the arrows on Figure 10. Because of the
absence of write-only permission, it takes only one additional process
to create a write-only authority to write data into a segment.

NOTE: I make no claims here about MLS, just about Boebert's original
challenge. I also do not claim that MLS or the *-properties are
interesting or useful. But I am claiming that technique shown in
CapMyths and my thesis answer Boebert's challenge, and that this
answer is implementable using only elements available in DVH.

If you think this claim is wrong, could you please give a *brief and
self contained* explanation of the flaw in my reasoning? Thanks.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM

More information about the cap-talk mailing list