[cap-talk] Capabilities in C# (revised)

Sandro Magi naasking at higherlogics.com
Thu Nov 2 21:06:00 CST 2006

Mark S. Miller wrote:
> Hi Sandro, your presentation is excellent! Good job!
> However, your choice of motivating example, especially on slide 4 "Let the 
> Conspiracy Begin", admits attack by covert timing channel. If, in tamed .net, 
> "new Thread(...)" is considered safe, then mole can use resources in such a 
> way as to create detectable scheduling variations. The tabloid can run 
> multiple threads in order to run races, to get some information about 
> variabilities in scheduling.  What variabilities are detectable will depend on 
> the implementation, but the existence of such timing channels is almost 
> inevitable within this overall framework.
> When we give talks on CapDesk we often commit the same sin: We often use 
> confidentiality as our motivating example, whereas object-capabilities (or 
> pretty much anything else) can only make air-tight claims regarding integrity 
> and action.

Thanks for the kind words. I was aware when writing this example that
the data string itself could probably be communicated via some covert
channel, and that any authority Mole may hold could probably be proxied
via such a channel; as discussed many times on this list, covert
channels seem to be currently impossible to fully protect against, so
I'm glossing over them as most do.

But hopefully we can at least agree to leave out covert channels from an
introduction to capabilities. :-)

I'm certainly interested in hearing any more appropriate examples though.


More information about the cap-talk mailing list