[cap-talk] Non-safety vs. permission propagation -- HRU and IBAC ACLs

[David Hopwood]

Toby Murray wrote:
> The authors (HRU) specifically say that in order to conduct a safety
> analysis, we ought to first remove all trustworthy subjects from the
> (model of the) system; since their ability to leak a permission doesn't
> count as a violation.
> 
> So say we have a system of 2 subjects, s1 and s1, and one (file) object
> f.
> 
> Say that s1 is the owner of f (i.e. "own" is in (s1, f) )
> And we want to determine whether s2 (who is considered untrustworthy)
> can obtain the right to "read" f. s1 is considered trustworthy, so we
> remove it from the configuration, leaving a configuration with 2
> entities (s2 and f) in which no entity has any permission to any other.

The issue here is whether s1 should be considered trustworthy. Jonathan's
position is that in general it shouldn't, and I agree. It might be
reasonable *in some cases* that the owner of an object should be trusted
to arbitrarily distribute authority to it, but it will not be reasonable
in all cases, and that is sufficient to say that the system does not
support enforcing the safety property.

Note that the argument that the owner could proxy authority to the object
does not apply in general: it can do so only to subjects with which it
can communicate. If we ever want to be able to prevent communication
between any two subjects, then we cannot use the possibility of proxying
to justify allowing owners to distibute authority to their objects without
restriction.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>