[cap-talk] - Bellizzomi - Capabilities and Shapiro's focus, Coyotos, etc.
Jed at Webstart
donnelley1 at webstart.com
Thu Nov 30 20:39:40 CST 2006
At 04:38 PM 11/30/2006, Valerio Bellizzomi wrote:
>On 30/11/2006, at 1.27, Jonathan S. Shapiro wrote:
> >> Please don't oversell capabilities and suggest that they can
> >> solve covert channel problems like wall banging. I think it's enough
> >> to deal with overt communication channels as Jonathan suggests.
> >I agree -- on both points.
>I think we agree on this topic. It was never my intention to oversell
>capabilities, it was my intention to say that covert channel problems have
>been addressed in the sense that they have been discussed (at least) in
>this list, and that I have noticed some countermeasures in the ASPOS/PP.
They certainly have been discussed on this list, but I think mostly as
an academic exercise. I guess the approach that Mark Miller has
mentioned (deafening processes through appropriate confinement
to make them deterministic) can be helpful in this regard. I can even
accept the argument that capabilities help in this area, because without
something like POLA you really have no hope to limit a processes access
to a deterministic "scope" (whatever Mark called it).
OK, with that as background I'm swung over to at least accepting that
the object/capability paradigm (at least POLA in some form) can contribute
significantly to dealing with covert channels. More important first though is
of course the issue of confinement regarding overt channels as Shap
addressed in his paper, but once you have overt confinement then it
seems you have the tools you need to address deafening processes
by limiting their permissions to those that only allow deterministic
execution. Of course you may still have to deal with things like
hardware issues (e.g. an available hardware clock), but at least there's
hope for a path forward there.
I didn't hold out much hope for positive results from such a discussion
of covert channels, but I must say I'm pleasantly surprised. Thanks all.
More information about the cap-talk