[cap-talk] Horton at HotSec '07: How broadly object/capability?

[Ivan Krstić]

On Aug 9, 2007, at 5:25 AM, Jed Donnelley wrote:
> The fact that Microsoft can
> even publish their 'immutable' first law of security:

I ridiculed that law publicly at RSA this year, and the amount of  
accompanying laughs from the audience seemed to suggest that a non- 
trivial proportion of people knew that the "immutable law" is nonsense.

> 1.  There is simply no alternative but something that
> amounts to POLA to combat the inherent dangers from
> running software from a wide variety of sources (which
> is itself necessary to fully enable a software market).

Agreed.

> The argument will of course be made that certifying
> software is a viable alternative.

That position is pretty stupid, I think, and amounts to sticking  
one's head in the sand. We're already seeing certified malware for  
mobile platforms in the wild. Right now.

> 2.  To support POLA, whose essence is dynamic, there
> is no viable option other than object/capabilities.

I'm not sure I fully agree, or rather, this might be the wrong way of  
thinking about it. I think capabilities are very much a 90-10 system,  
and no one so far has been willing to spend that 90% of time nailing  
down the details of the last 10% of the functionality in practice. In  
other words, yes, capabilities are the only way I can think of  
achieving true POLA, but this has proven so hard in practice that  
perhaps achieving true POLA shouldn't be the goal.

On that note, I'd be curious to hear what you think about the  
Bitfrost work as a very impure and merely "capability-inspired"  
approach. I've found, for instance, that developers really like the  
system: almost all I have to tell them about how it works is "imagine  
your program is the only thing running on the machine, except for the  
OS". This is easily understood and designed for.

Cheers,

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org