[cap-talk] POLA v. Trojans

Jonathan S. Shapiro shap at eros-os.com
Wed Jul 11 18:09:47 EDT 2007 

On Wed, 2007-07-11 at 12:32 -0700, Jed Donnelley wrote:

> It would only be if the IT community felt strongly that POLA and
> capabilities were
> the right (only, effective, ...) solution to an important problem
> (e.g. Trojan horses
> in their various forms) that such work would be seen as important,
> would get
> funded and would be done.

Unfortunately, on this point the IT community was partly right.

There are two types of Trojan Horses:

  1. Programs that behave maliciously.
  2. Programs that exfiltrate information.

The first category certainly wasn't ignored, but in the context of
TCSEC, a great deal of attention was being focused on the second
category, and particularly on exfiltration via covert channels.

So far as I know, capabilities don't help the covert channel suppression
problem. Indirectly, I think they *do* help because they tend to lead to
system architectures with more precise models of resource multiplexing,
but that is an *opinion*, not a testable fact. Of course, ACLs don't
help against covert channels either. Neither does RBAC. Prayer may help,
but controlled experiments are thin on the ground. :-) My opinion is
that covert channel suppression is mostly unrelated to *overt* access
control.

Unfortunately, Lampson didn't distinguish covert from overt
communication in his description of the confinement problem. One of the
major critiques of our later verification proof was that by failing to
consider covert channels we were effectively redefining the confinement
property. Avi Silberschatz gleefully reiterated this accusation as
recently as three years ago while acting as a customer advisor. The
accusation is, of course, completely correct. We saw no reason to
promulgate a useless and misleading conflation.

Problem is: academics don't argue for what makes sense. They argue for
what can be published or what will serve to re-establish [human]
dominance. Avi understands perfectly well that his accusation is, at
best, disingenuous. In my opinion it's an open flame in a munitions
factory. Avi doesn't care. The statement let him put down a junior
colleague and made him look good in front of his employer of the day.

The other thing about academics (and everyone else, of course) is that
they do not critically scrutinize favorite ideas as carefully as
opposing ideas. I have *never* seen ACLs criticized on the grounds that
they cannot defeat covert channels.

And in this type of area science readily becomes politics. If you get a
bad meme in circulation, you can shift rationales to perpetuate it. The
initial bad meme inserted by Boebeck and Air Force redactors gave
capabilities a bad name. Once that was established, Boebert's view came
under challenge and people like Avi and others shifted arguments to the
covert channel issue. It didn't matter that the issue couldn't be
addressed in other systems; it was sufficient to show that capabilities
were not a universal solution justifying a major investment shift.

Anybody who thinks that science is an apolitical process doesn't
understand human nature. Anybody who thinks that science doesn't suffer
from orthodoxy doesn't understand either science or religion.

shap
-- 
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC

More information about the cap-talk mailing list