[cap-talk] Capabilities and the NCSC Trusted Computer Security Evaluation Criteria (TCSEC)

Jonathan S. Shapiro shap at eros-os.com
Wed Nov 29 14:21:03 CST 2006

David, all:

On Sun, 2006-11-19 at 17:59 +0000, David Hopwood wrote:
> Jed at Webstart wrote:
> > As Bill mentioned I scanned in the following document:
> > 
> > Traditional Capability-Based Systems:
> > An Analysis of Their Ability to Meet the
> > Trusted Computer Security Evaluation Criteria
> > 
> > into:  http://www.webstart.com/jed/papers/P-1935/
> The thing that most strikes me about this document is its relentless emphasis
> on implementation detail -- detail that is hardly relevant to what the paper
> is supposed to be about, i.e. the suitability of capabilities as a security
> *model*.
> My conclusion is the authors just don't get abstraction sufficiently well to
> be competent to write a report on this subject.

I think this is harsh, since the document does not purport to be an
evaluation of capability systems as a design model. It is an attempt to
provide an imperfect retrospective analysis of then-existing practice
(some of which was very obscure then and remains so now). I think you
should look harder at the conclusion, in particular the sentences buried
in the paragraph beginning "Second,..."

        ... there are extensions (to what is defined as traditional
        capability-based systems) that have been proposed for, and
        implemented in, experimental systems which allow the support of
        security policies and accountability mechanisms similar to those
        of TCSEC. All such extensions are well within the limits of
        present-day technology. This suggests that one cannot rule out a
        priori a system based on capabilities from environments where
        the requirements of the TCSEC are important....
Note the last sentence in particular. While we may disagree with the
report's conclusion that:

        ... traditional capability-based systems prevent the
        implementation of security policy and accountability as required
        by the TCSEC...

We need to be very careful to remember several things:

1. The KeyKOS factory result was not understood by the authors. It
wasn't issued until mid-1986, and it is (at best) an obscure and opaque

2. The Harrison-Ruzzo-Ullman result was out of scope: this was a paper
addressing then-existing practice, which had largely ignored the HRU

3. In the context of the times, there was a strong push to abandon
capability systems as foundationally insecure. The fact that this paper
from this group of people affirmatively kept the door open was a big

Finally, I think that the concluding critique:

        ...and make some aspects of trusted facility management and
        recovery more difficult than those of other systems.

Is pretty clearly accurate.

In any case, I suppose my main point is that documents like this need to
be read in historical context.


More information about the cap-talk mailing list