[cap-talk] Capabilities - the rub (was: NCSC TCSEC)

David Wagner daw at cs.berkeley.edu
Thu Nov 9 22:46:38 CST 2006


Jed at Webstart <donnelley1 at webstart.com> writes:
>When David Wagner says:
>>The TCSEC requirements are most irrelevant to modern computer security in
>>the commercial world.  They're a waste of time.  Every second you spend
>>trying to comply with TCSEC is one second forever lost from your lifespan.
>>They're not worth the brain cells; don't bother.
>
>I respectfully disagree.  Perhaps if you focus on the MLS aspects of the TCSEC
>we generally agree in this area.  I believe MLS, Bell and LaPadula, etc. is
>pretty much a mess and likely to stay that way for some time (forever?).
>Perhaps that aspect of the TCSEC can be safely ignored and considered
>irrelevant for "modern computer security in the commercial world."
>
>However, I think the base concern about binding subjects (continue to think
>people for a while here) to their authorities coupled with the concern about
>unrecoverable delegations continues to be relevant and remains at the heart
>of why the object/capability paradigm is still considered impractical (though
>there are other concerns, implementation issues, performance, usability,
>etc.) in 'modern' computer systems.

I actually agree with you here.  There are many concepts in TCSEC that
remain relevant.  And, there is a lot we can learn from TCSEC.  However,
there are also many requirements in TCSEC that are poorly matched to the
commercial needs for computer security.  I was primarily reacting to the
suggestion that it would be a good use of time to demonstrate that object
capability systems can meet all of the TCSEC requirements, and if someone
were to do that, that would change the minds of many of the computer security
folks out there.

Anyway, I think you raise a good point here.  I'm inclined to think that
there may be an important difference between protecting against malicious
users vs protection against malicious code.  User-based privilege management
(uids, ACLs, etc.) seems to do a semi-OK job at the former, but a lousy job
at the latter.


More information about the cap-talk mailing list