[cap-talk] Horton at HotSec '07: How broadly object/capability?
David Hopwood
david.hopwood at industrial-designers.co.uk
Wed Jul 11 12:22:53 EDT 2007
Jed Donnelley wrote:
> What really happened in the late 1980s when all
> our proud and hopeful least privilege notions finally
> disappeared into a uniformity of 'user' based access
> control?
>
> I decided to look back at this period, the time of the
> "Orange Book" and many security focused efforts to
> see if I could figure out what happened. Of course
> one aspect of things was that in that pre Internet era,
> concerns about Trojan horses were somewhat abstract
> and not particularly focused. Still, all else being equal,
> why didn't the people at the time focusing on computer
> security push toward the least access model?
>
> I chose to focus particular attention on this document:
>
> Traditional Capability-Based Systems: An Analysis of
> Their Ability to Meet the Trusted Computer Security
> Evaluation Criteria - a scan of which can now be
> found at:
>
> http://www.webstart.com/jed/papers/P-1935/
>
> If you read through this document, the answer becomes
> abundantly clear. They argued that systems with
> communicable object references (capabilities) were
> inadequate to meet their security criteria because
> they were afraid - very afraid. They were afraid of
> loss of control.
I have to say that I think you are drastically overestimating the
effect that papers such as this one had on the history of adoption
of security mechanisms. Most people (even security professionals, I
suspect) have never heard of these papers, and if they have, it is
most likely to be from this community's responses to them.
We cannot blame anyone outside the capabilities community for our
collective failure to produce a capability OS that is complete enough
to run even a few basic demonstration apps on a PC.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list