[cap-talk] Capabilities and the NCSC Trusted Computer Security Evaluation Criteria (TCSEC)

Tue Nov 21 19:29:20 CST 2006

At 09:59 AM 11/19/2006, David Hopwood wrote:
>Jed at Webstart wrote:
> > At 02:54 PM 10/30/2006, Bill Tulloh wrote:
> >
> >>I've been trying to trace the history of capability-based approaches
> >>in the context of the emergence of the Trusted Computer Systems
> >>Evaluation Criteria (the Orange Book)...
> >
> > As Bill mentioned I scanned in the following document:
> >
> > Traditional Capability-Based Systems:
> > An Analysis of Their Ability to Meet the
> > Trusted Computer Security Evaluation Criteria
> >
> > into:  http://www.webstart.com/jed/papers/P-1935/
>
>The thing that most strikes me about this document is its relentless emphasis
>on implementation detail -- detail that is hardly relevant to what the paper
>is supposed to be about, i.e. the suitability of capabilities as a security
>*model*.

Hurrah!  Thanks for taking a look David!

>For instance, on page 8:
>
># The capability mapping mechanism establishes the correspondence between
># the capability and the object it names.
>[...]
># Traditional capability systems may differ in specific details of the
># capability mapping implementation. The model described below, however,
># can be used to explain the mapping mechanisms of most traditional
># capability-based systems.
>
>is followed immediately by a low-level "boxes and pointers" description of
>some possible implementation, complete with premature optimizations, which
>utterly fails to provide any insight about how capability systems in general
>(or even just c-list systems), "establish the correspondence between the
>capability and the object it names".
>
>[In fact for most systems the description given is flat-out wrong 
>and misleading,
>e.g. in referring to a c-list index as a "hint".]

I noticed that also (perhaps I should have mentioned it).  I think 
there was some
system (perhaps one of the hardware caching schemes?) where a c-list index
was something like a hint.  They seemed to pick up on that and assume that
other systems were similar.  I agree that it shows an appalling lack 
of understanding
of even the most common sort of capability systems - the descriptor 
based systems
(e.g. Dennis and Van Horn's supervisor).

>My conclusion is the authors just don't get abstraction sufficiently well to
>be competent to write a report on this subject.

As to the above, I think it's overstated somewhat.  That example with the
"hint" I think is something of an aberration.  I think that at some level they
understood the capability paradigm - though they certainly didn't
'appreciate' it.  I saw no evidence that they understood the problem of
conspiring communicators and proxying.

I know one of the authors - Jeff Huskamp - who is now the Chief Information
Officer at the University of Maryland, e.g.:

http://www.oit.umd.edu/people/srstaff.html
http://www.oit.umd.edu/people/bios/huskamp.pdf
http://www.oit.umd.edu/units/cio/Huskamp_Vitae_09.01.06.pdf
(Director North Carolina Supercomputer Center,
Directory Ohio Supercomputer Center previously).

I expect Jeff had a significant influence on the document.  I also expect the
document reflects his views.  Of course we all know Bulter Lampson.  He
didn't write that document, but I think he generally agrees with it's
viewpoint and he definitely thinks the object/capability model (and even
more generally POLA) is a bad for access control and computer security.

I don't think we should be so quick to write off these authors as
simply incompetent.

You may find it interesting to take a look at the acknowledgements in
the preface:

"Virgil Gligor from the University of Maryland served as principal researcher.
Many other individuals also have contributed to the production of 
this paper. We wish to
acknowledge the assistance of Dan Nessett, Lawrence Livermore Labs; 
Richard Kain,
University of Minnesota; Norman Hardy, Susan Rajunas, et. al., of 
Keylogic, Inc.; and
Roger Schell of Gemini Computers, Inc., for their thorough review and 
critique of the
initial drafts of this paper. Their comments helped significantly in 
providing better focus
and presentation of the material. The authors, however, remain 
responsible far the
accuracy and appropriateness of the contents of this final version."

I also know Dan Nessett quite well.  He was working with us on NLTSS 
still at the time
this paper was written.  I can see his influence in some of the 
discussion.  He clearly
gave them some cannon fodder in the discussion about protecting 
capabilities on a
network as we were concerned about (e.g. the Managing Domains paper).

And of course all of us (I hope) know Norm Hardy quite well.  Perhaps 
Norm could
comment on the political environment surrounding the writing of this document,
his reading of some draft(s?), etc.

Hmmm.  It appears the lead author, Virgil Gligor, is still a professor at the
University of Maryland.   Also interestingly a UC Berkeley Phd from about the
time Jeff Huskamp got his Phd there.  I wonder if this is a Cal conspiracy?
Of course Butler Lampson has his Cal (CalTSS) connections as well.

Dr. Gligor still seems to be active in the computer security area:

http://www.ece.umd.edu/~gligor/

It seems we could ask these people about their thoughts.  I'd certainly like
to focus our message before doing so.

I'll also note that this document is fairly widely referenced.  Bill 
Tulloh would
probably know better than I about that, but certainly in the military area
of computer security (that was dominant/ascendent until I would say at
least the early 1990s), e.g.:

https://ia.gordon.army.mil/iaso/DOD/NCSC-TG-016/references.htm
and many others.

I expect we could track down more of these authors.   Do you think
there's any hope of drawing them into a discussion?  I might be able
to draw Jeff Huskamp in to touch briefly on this topic, but of course
as CIO of a major university he would have little time for any in depth
discussion.

--Jed http://www.webstart.com/jed/ 