[cap-talk] A question on capabilities - charts review + comments

Karp, Alan H alan.karp at hp.com
Tue Jun 13 11:31:42 EDT 2006 

Jed wrote:
> 
> R.e. the very powerful Solitaire program:  While I think that's a
> good example, I think that perhaps by itself it isn't as compelling
> as it might be.  People could think, oh, I know about not picking
> up questionable games and such.  I'm not at risk from such a threat.
> 
I've used this example, due to Marc Stiegler by the way, dozens of times
over the past year or so.  In my experience it is extremely effective.
It's not a questionable game since it comes with the OS.  Everyone
recognizes that it needs little authority.  Everyone immediately sees
that it has the power to do as much damage as any of the other programs
they guess, most commonly Internet Explorer.
> 
> Just a terminology point - if you go to so much trouble to
> clarify that "authority" is a transitive closure of <what?>,
> I think you need to describe what it's a transitive closure
> of.  I think "permission"s is the right term there, but perhaps
> others will wish to correct me.
> 
I'd say that the transitive closure of permissions is an upper bound on
authority.

The example I like to give to distinguish permission from authority is a
web server.  The ACL specifies that the web server process has
permission to read the site's home page.  There's no such rule for
someone visiting the site, yet the page is displayed.  Hence, the web
server uses its permission to grant the visitor the authority to read
the page.
> 
> I'm not sure how much to comment on your confused deputy
> discussion.  To me the compiler example is rather disconnected
> from any reality that most people (users and developers) actually
> deal with.  I'm not sure what to suggest.  At a very minor editing
> level I think where you say:
> 
I've also found that example a bit convoluted for the audiences I often
talk to.  Instead I talk about a situation in which Alice has more
authority than Bob.  Bob might ask Alice to do something that Bob
doesn't have permission to do but Alice does.  Alice might do it.  Norm
agrees that these three sentences capture the essence of the confused
deputy.  I then make the point, due to Tyler, that the only defense is
for Alice to build an ad hoc access control mechanism to decide what she
should do on behalf of Bob.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
  
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20060613/eda1d924/attachment-0001.vcf

More information about the cap-talk mailing list