[cap-talk] Declaring a victory

Jed Donnelley JEDonnelley at lbl.gov
Sat Aug 11 13:33:35 EDT 2007 

----- Original Message -----
From: Mark Miller <erights at gmail.com>
Date: Saturday, August 11, 2007 3:36 am
Subject: [cap-talk] Declaring a victory
To: "General discussions concerning capability systems." <cap-talk at mail.eros-os.org>

> This last week was Usenix Security http://www.usenix.org/events/sec07/
> Among the members of this list who attended were Jed Donnelley,
> Ka-Ping Yee, Adrian Mettler, David Wagner, Ben Laurie, and I.
> 
> First, the bad news:
> 
> Our Hotsec talk on Horton
> <http://www.erights.org/elib/capability/horton/> went over like a lead
> balloon. It's not that people didn't like it, it's just that people
> mostly didn't care. We got very few questions and discussion. Perhaps
> it's partially because we were the second talk so people weren't awake
> yet.
> 
> But from talking to people during the break, I think the main problem
> is that we *way* overestimated the degree to which the audience
> already understood the basics of capabilities. In retrospect, even
> with only 15 minutes to talk, we should have spent more time on ocap
> basics and less on Horton. To most of the audience, our talk was
> probably just "another talk in some formalism I don't get, so I'll
> just sit here politely until it's over." Oh well.
> 
> I know we discussed this before on cap-talk. I was impressed by how
> clued-in to ocaps the referees were, and on this basis had assumed we
> were finally past needing to recap the basics. After the workshop I
> discussed this with one of the organizers who observed "oh yeah, most
> of the referees weren't here."
> 
> In any case, some people did pick up on the idea of supporting
> decentralized identity with corroboration networks for decentralized
> reputation feedback. Others were intrigued by the motivating web
> example Jed presented at the beginning of the talk (which Jed now
> calls CapDoc). During the breaks we got some exciting discussion of
> these ideas.

I'll second the above.  Quite a number of people understand the basic
threat from running applications with ambient authority.   There was
at least one paper that I remember that addressed this issue
through an ad hoc mechanism (binding file types to access by
matching applications).

In discussions between talks many people understood the
basic issues and came to appreciate the capability/POLA
approach.  Often times a concern was expressed essentially
along the lines of, yeah, but won't specifying all the permissions
for an application be a mess along the lines of SELinux?

Demonstrating or at least describing CapDesk was very
helpful.  I think I need an instance of CapDesk conveniently
handy for such demos.

I also got quite a bit of resonance regarding the Web
capabilities mechanism that I've started to call "CapDoc"
(CapWiki seeming to imply a different ACL sort of
access control mechanism) - more on that below.

> A completely different piece of disappointing news: Adrian, Jed, 
> and I
> counted the papers presented at Usenix. We estimated that 18 out of 34
> of these papers were variations on the theme: Obviously insecure
> systems get hacked.
> 
> Now the good news:
> 
> Throughout Usenix, I discussed ocaps with people. Over and over,
> various questions would come up, like "in an ocap system, how does an
> app get the caps it needs". To answer, I would show them capDesk. I
> probably demo-ed capDesk about 30 times. Really. Light bulbs went on.
> People asked good questions, and discussions were quickly able to move
> on to the real issues.
> 
> The biggest good news is a general impression that our most important
> battle is now behind us. Capabilities are no longer dismissed. It's
> certainly not that people are convinced. But they're properly
> skeptical and interested. Many people wanted to discuss how ocaps
> might help with web security problems. After decades in the dog house,
> the ocap question is back on the table again and treated respectfully.
> This is huge.

I agree.  People want something to deal with unconstrained applications.
Capabilities seem to offer the only option that has any discipline.

I'm in South Station waiting for a train, but I'll try to give a rough idea
of the CapDoc facility.  Think about something like WideWord:

https://wideword.net/doc/i%2Bej6NZzbDWtc2k444Nk%2FQ%3D%3D

supported by an application on your workstation (could be remote,
but think local for now).  When you install you get an identity in the
form of a sealer/unsealer pair.  The unsealer can even be unseal
once only to ease storage/accounting issues.  You also get a
capability that can be used to send and receive messages to
you.   If anybody else gives you their identity capability (e.g. via
email) you can generate a capability for them (labeled with
their responsibility) that can send you messages - and do the
Horton identity transformation in the process (labeling the
capability as having been delegated from them to you.

By this means you can build up a set of email-like
addresses but with responsibility tracking.

Now you create documents along the lines of Wideword.
You can send capabilities through the message mechanism
to others, thereby delegating a capability.

At any time you can ask your capabilities who has
been delegated capabilities to the object.  You can
revoke any downstream delegations.  Oh well, maybe
I shouldn't send this as it is very rough and I have to
leave now.  I'll pick this up when I can.

--JED  http://www.nersc.gov/~jed/

More information about the cap-talk mailing list