[cap-talk] Horton at HotSec '07: How broadly object/capability?

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Jul 10 06:09:41 EDT 2007 

At Thu, 09 Aug 2007 01:13:51 -0700,
Jed Donnelley <capability at webstart.com> wrote:
> For computer services to prosper we need to be able to
> utilize software from a wide variety of sources.  Naturally
> we hope any software that we employ is effective at
> it's chosen task and will only produce positive results.
> However, we well know that software can be intentionally
> or unintentionally destructive.  The only defense against
> these sorts of problems (generally Trojan horses) is
> POLA.  I can't imagine an alternative.  I'd be interested
> to hear alternative suggestions in case this is just
> a failure of imagination on my part.

Heading off-topic, but you asked for brain-storming, and here are my 2
euro-cents.  Some suggestions, although they may be very different
from what you had in mind:

* Improve the living conditions of all people in the world to reduce
  motivation for destructive interference in other people's live.

* Make networks more local to increase personal responsibility for
  actions.

* Make systems more robust against failure, for example, by making
  destructive operations closely held (eg, versioned filesystem).

While the work of this group focuses on hardening a system in an
environment that is presumed to be infinitely hostile (and comes
pretty close to that), the real environment is not static, but can be
influenced.  It can even be improved.

These approaches have of course very different scope and properties
than the approaches discussed on this list.  Let me foreclose the main
criticism: They do not have any provable properties, but are rather
"soft solutions".  Nevertheless, I believe that work done in these
areas can have very real benefits and can address the problems that
you described at least partially.

>From this perspective, computer security does not look very different
from other problems that we face collectively as a society.  Take for
example environmental protection.  Rather than wrapping trees in
membranes that only let through the good stuff and block the toxics,
we can do the things above: We can reduce incentive for pollution (by
taxing it), strenghten local economies and improve biodiversity, just
to give examples.

To be fair, it certainly is easier to install software on every
computer than to wrap every tree in a membrane, and superficially it
seems easier to write better software than to improve society
(although I am not quite convinced this is true in the limit!).  But
you didn't ask exclusively for *technical* alternatives.

Much more can be said on these choices, but I will end it here.

Thanks,
Marcus

More information about the cap-talk mailing list