[cap-talk] Capabilities - the rub (was: NCSC TCSEC)

Eric Jacobs eric at theeric.com
Thu Nov 9 21:31:48 CST 2006

On Thu, 09 Nov 2006 17:42:08 -0800
Jed at Webstart <donnelley1 at webstart.com> wrote:

> If you run on a capability infrastructure you can remove the account,
> but then you think, "Oh my gosh, I wonder where he might have
> delegated access to some of the resources he had access to?"
> How do I remove any access that he might have delegated?"

Simple: revoke the proxy that you originally created for the account.
That proxy has supervisory capacity over anything that is done via
it. It is capable of enforcing any policy that any security kernel
could enforce.

Of course, the proxy could misbehave and leak capabilities away -
but so could a traditional kernel.

The major obstacle to adopting object-capabilities is just this: these
facts aren't obvious. Capability-based proxies look like sieves, and
mainstream security mechanisms look like bastions of safety. Almost
perfectly ironic.

Is this effect just relativism of viewpoint? People liking and feeling
comfortable with what they're used to? Perhaps. That must play a part
in it, but I feel that there is more going on. There is some kind of
lack of information or lack of evidence or something. The cap community
has been harping "Capabilities are revocable" for years, yet questions
such as Jed's keep coming up, and somehow we still haven't found the
right answer.

I'll keep thinking about it. Very interesting discussion.


More information about the cap-talk mailing list