[cap-talk] Capabilities and the NCSC Trusted Computer Security Evaluation Criteria (TCSEC)

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Nov 19 11:59:14 CST 2006


Jed at Webstart wrote:
> At 02:54 PM 10/30/2006, Bill Tulloh wrote:
> 
>>I've been trying to trace the history of capability-based approaches
>>in the context of the emergence of the Trusted Computer Systems
>>Evaluation Criteria (the Orange Book)...
> 
> As Bill mentioned I scanned in the following document:
> 
> Traditional Capability-Based Systems:
> An Analysis of Their Ability to Meet the
> Trusted Computer Security Evaluation Criteria
> 
> into:  http://www.webstart.com/jed/papers/P-1935/

The thing that most strikes me about this document is its relentless emphasis
on implementation detail -- detail that is hardly relevant to what the paper
is supposed to be about, i.e. the suitability of capabilities as a security
*model*.

For instance, on page 8:

# The capability mapping mechanism establishes the correspondence between
# the capability and the object it names.
[...]
# Traditional capability systems may differ in specific details of the
# capability mapping implementation. The model described below, however,
# can be used to explain the mapping mechanisms of most traditional
# capability-based systems.

is followed immediately by a low-level "boxes and pointers" description of
some possible implementation, complete with premature optimizations, which
utterly fails to provide any insight about how capability systems in general
(or even just c-list systems), "establish the correspondence between the
capability and the object it names".

[In fact for most systems the description given is flat-out wrong and misleading,
e.g. in referring to a c-list index as a "hint".]

My conclusion is the authors just don't get abstraction sufficiently well to
be competent to write a report on this subject.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list