[cap-talk] Horton at HotSec '07: How broadly object/capability?

Jed Donnelley capability at webstart.com
Mon Jul 9 04:13:59 EDT 2007 

At 02:31 PM 7/8/2007, Pierre THIERRY wrote:
>Scribit Ivan Krstić dies 08/07/2007 hora 16:53:
> > Is this really a hot topic?
>
>If it's not hot, it should be made hot. There have been succesful
>work to solve some critical security issues with capabilities,
>like CapDesk.
>
>Maybe most people want problems to remain, but for anyone interested
>in solving them, I think capabilities should be a hot topic today.

Not surprisingly I agree with this viewpoint.

My argument is:

For computer services to prosper we need to be able to
utilize software from a wide variety of sources.  Naturally
we hope any software that we employ is effective at
it's chosen task and will only produce positive results.
However, we well know that software can be intentionally
or unintentionally destructive.  The only defense against
these sorts of problems (generally Trojan horses) is
POLA.  I can't imagine an alternative.  I'd be interested
to hear alternative suggestions in case this is just
a failure of imagination on my part.

Of course there are alternative approaches to providing
POLA besides "capabilities", but I don't know of any
approaches that can effectively provide dynamic fine
communication of access the way capabilities can.
Indeed this is essentially the definition of what
a 'capability' is - namely an individual communicable
permission.  The fact that access control by capability
is really just another name for access control by
object, a widely used and effective computing paradigm,
is a strong argument for using object/capabilities
for POLA I believe.

The fact that an organization with as much industry
clout as Microsoft can state as their first immutable
law of computer security:

Law #1: If a bad guy can persuade you to run his program
on your computer, it's not your computer anymore.

to me just screams that there is something seriously
broken in this system.  What I believe is broken is
the "ambient authority" (user) model of access control.
I simply don't see a viable alternative to capabilities
to fix this problem.

Let's please hear alternative suggestions - even as
devil's advocates.  I hope we can work out some of
the nuances of this debate and then present it at
HotSec - if we choose to focus on the broad capability
topic vs. just presenting the value that can be
added to the general object/capability paradigm
with Horton.

 From my perspective the object/capability paradigm
has a value - ease of achieving POLA with simple
parameter (as object) passing.  The general object/
capability paradigm has been viewed by many as
having some serious (many argued fatal, e.g. in

V. D. Gligor, J. C. Huskamp, S. Welke, C. Linn, and
W. Mayfield. Traditional capability-based systems: An
analysis of their ability to meet the trusted computer
security evaluation criteria.

) problems that preclude the use of the object/
capability model despite this one obvious strength
and value.

I believe that Horton demonstrates that this
final potentially legitimate objection is
not supportable.

At this point I believe that the only objection
that can remain is that object/capability systems
are too costly (inefficient) and/or complex (related
to the cost/inefficiency).  Unfortunately, I believe
the seeming complexity of Horton as described in
the paper (I don't expect many to follow the details)
will provide support for this position.

I'm not sure how to address this concern for
the potential broad discussion.  It seems to me
that the issues regarding the costs for implementing
object/capabilities are quite distinct at the
different levels (language, OS, network).

At the language level I don't think there is
a substantive argument to be mounted against
object/capabilities on the basis of costs.
In this context object/capabilities are really
just objects used effectively for access control.
I don't see how anybody can effectively argue
against the use of objects at the language level.

At the network level I also don't see any to
effectively use the cost argument against
object/capabilities.  I believe all other
mechanisms have essentially the same costs
and aren't nearly as effective at supporting
POLA.

The one place where I still see something of
a valid argument being mounted is at the OS
level - contrasting the Unix/Windows 'user'
based access control model with an object/capability
model for an OS implementation.

Perhaps I should stop there and get the
opinions of others to this point before
getting into that area where I feel I have
rather weak positions.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list