[cap-talk] A question on capabilities

Ben Laurie benl at google.com
Mon Jun 12 04:58:44 EDT 2006 

On 6/12/06, David Wagner <daw at cs.berkeley.edu> wrote:
> I gave a talk at PLAS06 yesterday on object capabilities and
> language-based capability systems.  My slides, if anyone is interested,
> are here:
>   http://www.cs.berkeley.edu/~daw/talks/PLAS06.ps
>
> I got one question afterwards that I didn't have a great answer to,
> and I'm curious what others response might be.  The question: Suppose
> Alice has a powerful capability, and Alice and Bob have a communication
> channel over which they can talk to each other.  Ok, granted, we can't
> prevent Alice from sharing her authority with Bob, if she really wants
> to, since she can always proxy for Bob.  But what about the risk of Alice
> unintentionally leaking her capability to Bob?  Do capability systems have
> a good story about how to deal with that?  (And yes, we recognize that
> if Alice and Bob are completely isolated from each other, then that's
> one case where capability systems have a good story, but that case is
> too restrictive, and the questioner was really asking whether there are
> any other cases where capability systems can help out with this risk).

Isn't this exactly what e-speak was all about? In this case, the
capability would be linked to Alice, so she'd have to prove ownership
of her private key in order to exercise it. Of course, Alice could
leak her private key, too, though that seems less likely since you
never have to send it over the wire.

>
> I think the questioner was also trying to understand whether there might
> be cases where it would be useful for a system administrator to be able
> to restrict the transfer of capabilities from Alice to Bob somehow to
> prevent some sort of unintentional leakage.  I think the questioner may
> have come from a mandatory access control background, where one of the
> often-stated motivations for MAC is that the sysadmin ought to be able
> to prevent Alice from leaking her stuff to Bob.
>
> Does anyone have reactions to that sort of question?  I'm curious to
> hear what others think about the topic.
>
>
> P.S. If others are interested in what other questions I got, here are
> some of them:
> - Can capability systems help protect confidentiality and enforce
> information flow policies?  (My view: No, capabilities don't give you much
> leverage there.  To the extent that you can use access control to prevent
> Alice from getting access to the secret in the first, capabilities can
> help you get that access control right, but once Alice knows the secret,
> it's very hard to prevent her from leaking it -- and capabilities don't
> really help much with the latter problem.)
> - Can capability systems be used in a distributed environment, for
> instance to help secure mobile agents?
> - Can you mix capability-style code with non-capability style code?
> For instance, can you mix some new code written in the capability way
> with old legacy code not written in the capability way?  (My view: You
> can, and you can get some partial benefits, but to be honest, there are
> some real limitations on how much this can help you, and the boundary
> between the capability and non-capability world is often a source of
> both frustration, because of the impedance mismatch, and security holes.
> Capability style programming has a tendency to pervade the system,
> in that you have to change the entire system from the ground up if you
> really want to do things the capability way, which does make it harder
> to adopt capabilities incrementally.)
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list