[cap-talk] The Limits of POLA's Utility - Social Engineering

[David Hopwood]

Nick Szabo wrote:
> BTW, depending on the design, a crucial distinction between capability
> security as discussed by many here and traditional ACL security: 
> does all vulnerability start with "root" until some designer, such as
> a system administrator, breaks it up into pieces by delegation, or does 
> vulnerability not exist at all until the user creates it?  At least 
> some of the discussion here at least hints at the latter.

Well, capability systems still have a universal TCB per-machine.
I think there is a indeed a crucial difference in world-view, though.
At the risk of oversimplifying,

 - discussions of ACL systems generally make the fundamental assumption
   that users may be untrustworthy.

 - discussions of capability systems generally make the fundamental
   assumption that processes (instances of programs) may be untrustworthy.

Even when an ACL discussion talks about "principals" in a way that
ostensibly generalises the concept to include programs, the participants
are really still thinking about principals-as-people. Conversely, when
a capability system discussion refers to the actions of a user, the
participants are really thinking about processes-as-user-agents.

In an ACL system, the problem of protecting processes from each other is
not seriously addressed at all (since treating them like users doesn't
actually work).

In a cap system, the problem of protecting users from each other is viewed
as a special case of protecting processes-as-user-agents from each other
(and this does work). In fact many cap system discussions consider only
single-user systems, with the generalization to multiple users left implicit,
if it is needed at all.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>