[cap-talk] Boebert Farber paper reference?

Jed at Webstart donnelley1 at webstart.com
Wed Nov 29 12:06:34 CST 2006

At 07:43 AM 11/29/2006, Bill Tulloh wrote:
>On 11/28/06, Jed Donnelley <jed at nersc.gov> wrote:
> >Funny.  I was just looking back at this message and asking a bit
> > about D.J. Farber and capabilities.  I was a bit befuddled when I 
> saw that he's a
> >  coauthor on the EROS
> > paper.  However, I'm not aware of any early capability work by D. 
> J. Farber.
> > Maybe Jonathan Shapiro could fill us in a bit on Farber's role in the
> > EROS work?
>The earliest paper I've seen by David J. Farber that references 
>capabilities is:
>W. David Sincoskie, David J. Farber: SODS/OS: Distributed Operating
>System for the IBM Series/1. Operating Systems Review 14(3): 46-54
>However, this doesn't seem like a primary source in any sense. His
>involvement with EROS as you say comes later, and seems to stem from
>Jonathan's days as a student at U Penn where Farber was on the
>There is also a David A. Farber who worked with Popek on the UCLA Data
>Secure Unix.
>Popek,C.J., and Farber,D.A., "A Model for Verification of Data
>Security in Operating Systems", Communications of the ACM, Vol. 21,
>No. 9, September 1978, pp.737-749.
>The focus of this paper is program verification, however, not capabilities.
>Unless there is some unpublished classified work I'm unaware of, I
>still think the best guess is he meant Fabry.

Whether he meant Fabry or either of the possible Farbers, doesn't his
emphasis on such a reference:

"The absence of the Kain and Landwehr paper, any mention of PSOS, or
the primary sources such as the original Farber paper would,
however, make me skeptical."

seem a bit misplaced?  He seems to have his own favorite references that
at least peripherally touch on the area (e.g. the Peter Neumann PSOS work
where a capability approach was abandoned).  However, I agree the
Landwehr and Kain paper (e.g.:


) seems to me is an important reference to have in the Capability Myths paper.
There seems to me to be something a bit incestuous about some of this work
that seemed to be happening in a bit of a vacuum - certainly without
any response from any sort of "capability community" as now seems to exist.
It appears that they did some work (on PSOS), made a design choice, and
then spent a few years rehashing the details for their own amusement.  A
quick look at the references from the Kain/Landwehr paper seems to reinforce
this view (below).

I also found this note of interest in this regard:


It's Boebert touting SELinux to the open source community.  Now 
there's a place where
Lampson's comment about making things complex only leading to less 
security really
seems to me to apply (from bitter experience).  I hope we aren't just 
thrashing around in
circles here.

Here are the references from the Kain Landwehr paper:

[1] Levy, H.M., Capability-Based Computer Systems, Digital Press, 
Bedford, MA, 1984.

[2] Department of Defense Computer Security Center, Trusted Computer 
Systems Evaluation
Criteria, CSC-STD-001-83, August 1983.

[3] Boebert, W. E., ''On the Inability of an Unmodified Capability 
Machine to Enforce the *-
Property,'' Proc. 7th DoD/NBS Computer Security Conference, September 
1984, pp. 291-

[4] Bell, D. E., and LaPadula, L. J., ''Secure Computer System: 
Unified Exposition and Multics
Interpretations,'' Tech. Report MTR-2997, MITRE Corp. Bedford, Mass., 
July, 1975.

[5] Boebert, W. E., Kain, R. Y., Young, W. D., and Hansohn, S. A., 
''Secure Ada Target:
Issues, System Design, and Verification,'' Proc. 1985 Symp. on 
Computer Security and
Privacy, pp. 176-183, April 1985.

[6] Neumann, P. G., Boyer, R. S., Feiertag, R. J., Levitt, K. N., and 
Robinson, L., ''A Provably
Secure Operating System: The System, Its Applications, and Proofs,'' 
SRI Computer Science
Laboratory Report CSL-116 (2nd ed.), May 1980.

[7] Schroeder, M. D., ''Engineering a Security Kernel for Multics,'' 
Proc. 5th Symp. on
Operating Systems Principles (also ACM SIGOPS Review 9, 5), pp. 
25-32, November 1975.

[8] Karger, P.A., and Herbert, A.J., ''An Augmented Capability 
Architecture to Support Lattice
Security and Traceability of Access,'' Proc. 1984 Symp. on Security 
and Privacy, pp.
2-12, April, 1984.

--Jed http://www.webstart.com/jed/ 

More information about the cap-talk mailing list