[cap-talk] Non-safety vs. permission propagation -- HRU and IBAC ACLs

[David Hopwood]

Jonathan S. Shapiro wrote:
> On Mon, 2007-08-06 at 15:50 +0100, Toby Murray wrote:
>> Your argument appears (to me) to be suffering the exact same problem
>> that the Boebert et. al. argument did regarding the inability of a cap
>> system to enforce the *-property. Trusted subjects need to be taken into
>> account in both cases. Failing to do so leads to overly pessimistic
>> results. 
> 
> I disagree. I am not failing to take into account trusted subjects. The
> problem is on the other foot: you are failing to admit any untrusted
> subjects.

Yes.

[...]
>>> Because of this, we cannot
>>> reasonably introduce the assumption that s1 is non-hostile.
>>
>> Unless s1 actually is non-hostile. s1 might be my shell,

The emphasis should be on "might". A typical ACL system *always* allows an
owner subject to propagate authority to its objects, but it only *might*
be reasonable to trust any given process running as the owner subject to
do so.

>> which I presume
>> to be non hostile. This appears to be Boebert's mistake reflected by one
>> of his loudest critics. I don't get it...
> 
> Your shell is not part of the TCB. It is assumed to be hostile.
> 
> Back up. This is a model in which all processes that are not part of the
> TCB are assumed to be perfectly hostile.

I disagree. The HRU model does not say anything about which processes
outside the TCB are assumed to be hostile. It clearly allows the possibility
of processes outside the TCB that are trusted for a particular right (to
the extent that it talks about processes at all).

To say that ACL systems fail to enforce the safety property, we only need
to argue that there may exist a right f, and a process P running as the
owner of f, such that P is not trusted to arbitrarily propagate f.
That's all. No other assumptions are needed.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>