[cap-talk] The Limits of POLA's Utility - Social Engineering
david.nospam.hopwood at blueyonder.co.uk
Wed Jun 7 18:59:51 EDT 2006
Nick Szabo wrote:
> BTW, depending on the design, a crucial distinction between capability
> security as discussed by many here and traditional ACL security:
> does all vulnerability start with "root" until some designer, such as
> a system administrator, breaks it up into pieces by delegation, or does
> vulnerability not exist at all until the user creates it? At least
> some of the discussion here at least hints at the latter.
Well, capability systems still have a universal TCB per-machine.
I think there is a indeed a crucial difference in world-view, though.
At the risk of oversimplifying,
- discussions of ACL systems generally make the fundamental assumption
that users may be untrustworthy.
- discussions of capability systems generally make the fundamental
assumption that processes (instances of programs) may be untrustworthy.
Even when an ACL discussion talks about "principals" in a way that
ostensibly generalises the concept to include programs, the participants
are really still thinking about principals-as-people. Conversely, when
a capability system discussion refers to the actions of a user, the
participants are really thinking about processes-as-user-agents.
In an ACL system, the problem of protecting processes from each other is
not seriously addressed at all (since treating them like users doesn't
In a cap system, the problem of protecting users from each other is viewed
as a special case of protecting processes-as-user-agents from each other
(and this does work). In fact many cap system discussions consider only
single-user systems, with the generalization to multiple users left implicit,
if it is needed at all.
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk