[cap-talk] A better reference for the "capabilities propagate too easily" argument

Mark Miller erights at gmail.com
Wed Aug 1 11:58:18 EDT 2007


On 8/1/07, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> On Wed, 2007-08-01 at 07:47 -0700, Mark Miller wrote:
> > In other words, [the language folks] had already arrived at capabilities in all ways
> > except for security.

First, I'd like to rephrase this so it'd less parochial. The language
folks had already come to a lambda-calculus-based paradigm regarding
non-security problems. Thus, they were more receptive to the
application of lambda-calculus-based ideas to security.


> I think it is much simpler than this. The world model of programmers
> typically does not assume that programs are internally self-hostile.
> Modularity is done for manageability and engineerability, not for
> defensibility. In consequence, a purely discretionary,
> designation=authority model is a perfect fit, and neither mandatory
> control issues, confused deputy issues, nor revocation issues are
> relevant problems.

Again, I have no idea what you or anyone else (except Alan) means when
they say "discretionary" or "mandatory". For "mandatory" I will
substitute "confinement" and hope that adequately captures your
intent.

Once lambda-based language folks did turn to security, confinement was
immediately seen as relevant. From Hewitt & Baker 1977
<http://www.lcs.mit.edu/publications/specpub.php?id=762>:

# These laws of locality can be used as the foundation on which to
build theories of
# information flow in computer systems. Using the formalism, a theory
can be developed to
# show how the imposition of initial constraints can be used to
eliminate undesirable
# information paths. In this way, protection problems, such as the
Confinement Problem may
# be solved.

What they suggest here, in 1977, is the essence of how Norm solved
overt confinement many years later. You can also find concern with
such "mandatory" issues in Rees' thesis.

I agree on revocation. I don't think it was on the radar of any
language-based security work outside our community.

On first encounter, confused deputy is subtle for everyone. But
language folks are used to thinking about scoping dangers, like
non-hygienic name capture in macro systems. I think that makes them
better armed to appreciate confused deputy when it is presented.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM


More information about the cap-talk mailing list