[cap-talk] Horton at HotSec '07: How broadly object/capability?

Mon Jul 9 05:27:30 EDT 2007

At 01:52 AM 7/9/2007, Ivan KrstiÄ‡ wrote:

>On Aug 9, 2007, at 4:13 AM, Jed Donnelley wrote:
> > that the issues regarding the costs for implementing
> > object/capabilities are quite distinct at the
> > different levels (language, OS, network).
>
>Capsys people tend to say things like "capabilities are easy, just
>use our language!" or "capabilities are easy, just use our OS!", and
>this is clearly out of touch with reality. ...The bottom line then
>comes down to integrating capabilities with existing approaches
>(languages, OSes) which have had a long time to become entrenched
>in their current form, and are now regarded with  a strong "I'd
>rather deal with something bad that I understand than
>something good that I don't" attitude by many stakeholders.
>
>Ignorance and inertia are by no means insurmountable, but by every
>means formidable.

Having worked on the problems of getting past
inertia and ignorance to effectively apply POLA to
allow more general sharing of software by effectively
combating the problems from Trojan horses (whether
intentionally or only inadvertently destructive) for
well over 30 years, I will certainly not argue that
switching to an object/capability model of access
control is 'easy'.  As you say, the issues of inertia
are very substantial.  The fact that Microsoft can
even publish their 'immutable' first law of security:

Law #1: If a bad guy can persuade you to run his program
on your computer, it's not your computer anymore.

suggests quite clearly to me just how entrenched the
current ambient authority ('user') based access control
scheme is.  It's so entrenched that most computer
professionals can't even imagine (as you mention, this
is the ignorance angle) an alternative.

That's why I believe it is so important to break down
the arguments for object/capabilities into clear
steps:

1.  There is simply no alternative but something that
amounts to POLA to combat the inherent dangers from
running software from a wide variety of sources (which
is itself necessary to fully enable a software market).

The argument will of course be made that certifying
software is a viable alternative.  I disagree with
this position, but belive the discussion is worthwhile.
Of course certification and POLA can work together
with each enhancing the other, but certification
by itself will always be inadequate in my opinion.

2.  To support POLA, whose essence is dynamic, there
is no viable option other than object/capabilities.

As you say there is nothing easy about change in this
area.  Any such change that happens will be very,
very, expensive.  It's partly for this reason that
I believe implementations of the object/capability
paradigm in areas where they can be new implementations
of new facilities (e.g. in the network area) rather
than requiring changes to existing implementations
will be the easiest to get into place and will likely
have the earliest success.

In any case I believe the general values and costs
are the most important aspects for people to understand
in terms of the design tradeoffs that they face
for any implementations - e.g. in the context of
a workshop like HotSec.

We've shown with Horton that one can track who did
what with simple object/capabilities.  To me this
removes one barrier to the use of the object/
capability paradigm for access control.  At that
point I think it important to review the other
cost/benefit trade-offs.  This is what I suggest
we focus on for the HotSec workshop.

--Jed  http://www.webstart.com/jed-signature.html 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070709/a909cbf3/attachment.html 