[cap-talk] MLS gone bad - now capabilities? (was: NCSC TCSEC) Lampson trashes POLP

Jed Donnelley jed at nersc.gov
Fri Nov 17 20:04:11 CST 2006


At 03:11 AM 11/16/2006, Bill Tulloh wrote:
> > >On 11/9/06, Jed at Webstart <donnelley1 at webstart.com> wrote:
><snipped agreement>
>
>While I'm not too familiar with it, the approach Lampson and his
>colleagues are taking does seem to be concerned with extending the
>identity-based approach to deal both with distributed identities and
>with processes having their own identities. This distributed identity
>approach perhaps needs more attention from those advocating a
>distributed capabilities approach.

If I understand your comment above it's what I'm focusing on with
my most recent comments in the "Capabilities - the rub, an account"
thread:

http://www.eros-os.org/pipermail/cap-talk/2006-November/005885.html

<more snipped agreement>
>...I'm skeptical of the ability of identity-based systems to successfully
>reach down to the process level and below for complexity reasons.

I believe the major difficulty with the ACL approach is the dynamics
that the Capability Myths paper properly focused on in my opinion.
It's also the area that Lampson seems to be concerned about when
he worries about the management of fine grained access control.
Nobody has time to put just the right processes on the appropriate
ACLs for resources that they need.  However, with the object/capability
paradigm generally passing objects as parameters does the "right thing"
without the need for involvement by any over arching management
(e.g. system administrators).  I really don't get the notion of
"mandatory access control" - particularly in the face of cooperating
'conspirators', but in terms of discretionary access control I believe
that provided by object capabilities provides just the "right thing" for
POLA.

> > ... to me <object capabilities are> just incrementally 
> approaching some sort of
> > asymptote that's much below the level of shaking, convincing, selling those
> > who need to be shaken, convinced, sold on the object/capability model
> > as a viable one that's worth investing in before it will become a serious
> > contender for market share - even with something as tenuous as the Hurd.
>
>Perhaps, but considering where things were ten years ago where only a
>handful of people were interested in capability-based approaches, I
>think there has been some impressive achievements. This may still be
>below what's needed for a major commercial breakthrough, but little by
>little. I've always thought the sweet spot for capabilities was to
>show the object-oriented folk what a natural fit it is, not to try to
>convince the old computer security guard that the approach they have
>been pursuing is a dead-end. The control mindset is difficult to
>overcome.

"control mindset" in the above can be taken a number of ways, but
I take it to refer to so-called "mandatory access controls" and generally
the notion of blocking unauthorized delegation.  Given the obvious
problem with conspiring communicators I believe this concern with
blocking "unauthorized" delegation needs to be refocused on
blocking "unauthorized" communication.  That's an area where object
capabilities can help!   I believe that initializing processes using POLA
with only capabilities that allow them to communicate to other
processes needed to complete their task is the best way to block
inappropriate delegation.  It's also naturally and easy with an
object/capability model.

--Jed http://www.webstart.com/jed/ 




More information about the cap-talk mailing list