[cap-talk] Boebert Farber paper reference?
Jed at Webstart
donnelley1 at webstart.com
Wed Nov 29 12:06:34 CST 2006
At 07:43 AM 11/29/2006, Bill Tulloh wrote:
>On 11/28/06, Jed Donnelley <jed at nersc.gov> wrote:
> >Funny. I was just looking back at this message and asking a bit
> > about D.J. Farber and capabilities. I was a bit befuddled when I
> saw that he's a
> > coauthor on the EROS
> > paper. However, I'm not aware of any early capability work by D.
> J. Farber.
> > Maybe Jonathan Shapiro could fill us in a bit on Farber's role in the
> > EROS work?
>The earliest paper I've seen by David J. Farber that references
>W. David Sincoskie, David J. Farber: SODS/OS: Distributed Operating
>System for the IBM Series/1. Operating Systems Review 14(3): 46-54
>However, this doesn't seem like a primary source in any sense. His
>involvement with EROS as you say comes later, and seems to stem from
>Jonathan's days as a student at U Penn where Farber was on the
>There is also a David A. Farber who worked with Popek on the UCLA Data
>Popek,C.J., and Farber,D.A., "A Model for Verification of Data
>Security in Operating Systems", Communications of the ACM, Vol. 21,
>No. 9, September 1978, pp.737-749.
>The focus of this paper is program verification, however, not capabilities.
>Unless there is some unpublished classified work I'm unaware of, I
>still think the best guess is he meant Fabry.
Whether he meant Fabry or either of the possible Farbers, doesn't his
emphasis on such a reference:
"The absence of the Kain and Landwehr paper, any mention of PSOS, or
the primary sources such as the original Farber paper would,
however, make me skeptical."
seem a bit misplaced? He seems to have his own favorite references that
at least peripherally touch on the area (e.g. the Peter Neumann PSOS work
where a capability approach was abandoned). However, I agree the
Landwehr and Kain paper (e.g.:
) seems to me is an important reference to have in the Capability Myths paper.
There seems to me to be something a bit incestuous about some of this work
that seemed to be happening in a bit of a vacuum - certainly without
any response from any sort of "capability community" as now seems to exist.
It appears that they did some work (on PSOS), made a design choice, and
then spent a few years rehashing the details for their own amusement. A
quick look at the references from the Kain/Landwehr paper seems to reinforce
this view (below).
I also found this note of interest in this regard:
It's Boebert touting SELinux to the open source community. Now
there's a place where
Lampson's comment about making things complex only leading to less
seems to me to apply (from bitter experience). I hope we aren't just
thrashing around in
Here are the references from the Kain Landwehr paper:
 Levy, H.M., Capability-Based Computer Systems, Digital Press,
Bedford, MA, 1984.
 Department of Defense Computer Security Center, Trusted Computer
Criteria, CSC-STD-001-83, August 1983.
 Boebert, W. E., ''On the Inability of an Unmodified Capability
Machine to Enforce the *-
Property,'' Proc. 7th DoD/NBS Computer Security Conference, September
1984, pp. 291-
 Bell, D. E., and LaPadula, L. J., ''Secure Computer System:
Unified Exposition and Multics
Interpretations,'' Tech. Report MTR-2997, MITRE Corp. Bedford, Mass.,
 Boebert, W. E., Kain, R. Y., Young, W. D., and Hansohn, S. A.,
''Secure Ada Target:
Issues, System Design, and Verification,'' Proc. 1985 Symp. on
Computer Security and
Privacy, pp. 176-183, April 1985.
 Neumann, P. G., Boyer, R. S., Feiertag, R. J., Levitt, K. N., and
Robinson, L., ''A Provably
Secure Operating System: The System, Its Applications, and Proofs,''
SRI Computer Science
Laboratory Report CSL-116 (2nd ed.), May 1980.
 Schroeder, M. D., ''Engineering a Security Kernel for Multics,''
Proc. 5th Symp. on
Operating Systems Principles (also ACM SIGOPS Review 9, 5), pp.
25-32, November 1975.
 Karger, P.A., and Herbert, A.J., ''An Augmented Capability
Architecture to Support Lattice
Security and Traceability of Access,'' Proc. 1984 Symp. on Security
and Privacy, pp.
2-12, April, 1984.
More information about the cap-talk