[cap-talk] A question on capabilities
David Wagner
daw at cs.berkeley.edu
Mon Jun 12 00:22:36 EDT 2006
I gave a talk at PLAS06 yesterday on object capabilities and
language-based capability systems. My slides, if anyone is interested,
are here:
http://www.cs.berkeley.edu/~daw/talks/PLAS06.ps
I got one question afterwards that I didn't have a great answer to,
and I'm curious what others response might be. The question: Suppose
Alice has a powerful capability, and Alice and Bob have a communication
channel over which they can talk to each other. Ok, granted, we can't
prevent Alice from sharing her authority with Bob, if she really wants
to, since she can always proxy for Bob. But what about the risk of Alice
unintentionally leaking her capability to Bob? Do capability systems have
a good story about how to deal with that? (And yes, we recognize that
if Alice and Bob are completely isolated from each other, then that's
one case where capability systems have a good story, but that case is
too restrictive, and the questioner was really asking whether there are
any other cases where capability systems can help out with this risk).
I think the questioner was also trying to understand whether there might
be cases where it would be useful for a system administrator to be able
to restrict the transfer of capabilities from Alice to Bob somehow to
prevent some sort of unintentional leakage. I think the questioner may
have come from a mandatory access control background, where one of the
often-stated motivations for MAC is that the sysadmin ought to be able
to prevent Alice from leaking her stuff to Bob.
Does anyone have reactions to that sort of question? I'm curious to
hear what others think about the topic.
P.S. If others are interested in what other questions I got, here are
some of them:
- Can capability systems help protect confidentiality and enforce
information flow policies? (My view: No, capabilities don't give you much
leverage there. To the extent that you can use access control to prevent
Alice from getting access to the secret in the first, capabilities can
help you get that access control right, but once Alice knows the secret,
it's very hard to prevent her from leaking it -- and capabilities don't
really help much with the latter problem.)
- Can capability systems be used in a distributed environment, for
instance to help secure mobile agents?
- Can you mix capability-style code with non-capability style code?
For instance, can you mix some new code written in the capability way
with old legacy code not written in the capability way? (My view: You
can, and you can get some partial benefits, but to be honest, there are
some real limitations on how much this can help you, and the boundary
between the capability and non-capability world is often a source of
both frustration, because of the impedance mismatch, and security holes.
Capability style programming has a tendency to pervade the system,
in that you have to change the entire system from the ground up if you
really want to do things the capability way, which does make it harder
to adopt capabilities incrementally.)
More information about the cap-talk
mailing list