[cap-talk] A question on capabilities
Tyler Close
tyler.close at gmail.com
Mon Jun 12 10:05:56 EDT 2006
On 6/11/06, David Wagner <daw at cs.berkeley.edu> wrote:
> I got one question afterwards that I didn't have a great answer to,
> and I'm curious what others response might be. The question: Suppose
> Alice has a powerful capability, and Alice and Bob have a communication
> channel over which they can talk to each other. Ok, granted, we can't
> prevent Alice from sharing her authority with Bob, if she really wants
> to, since she can always proxy for Bob. But what about the risk of Alice
> unintentionally leaking her capability to Bob? Do capability systems have
> a good story about how to deal with that?
Are Alice and Bob computational objects or humans?
If computational objects, I think good capability-based design dicates
that the more powerful the capability, the more closely held it should
be. Following this rule means that it should be possible to review the
code to know exactly how the powerful capability may be used. I think
it is bad design to pass a powerful capability around willy-nilly
inside a program such that it may be accidentally leaked. If the
application requires that designation of the powerful capability be
sent along a long and complicated delegation chain, then a
sealer/unsealer pair should be used. The unsealer is closely held and
the box containing the powerful capability is sent along the long
delegation chain.
If humans, this is simply a question of GUI design. Design the GUI
such that it is clear when a powerful capability is being delegated.
YMMV if you have limited control over the GUI. In this case, you can
interpose a proxy between the GUI and the rest of the world. The proxy
holds onto the actual capabilities and only exercises them in response
to well-understood commands from the GUI. The proxy only accepts
commands from the GUI process, so any proxy capabilities that leak out
of the GUI to an attacker cannot be used to send a command through the
proxy.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
More information about the cap-talk
mailing list