[cap-talk] Horton context presentation

Jed Donnelley capability at webstart.com
Sun Jul 15 03:41:25 EDT 2007

At 03:53 PM 7/14/2007, David Hopwood wrote:
>David Chizmadia (JHU) wrote:
> > Jed,
> >> [...] I'm very partial still at this point to
> >> using Law #1 to focus attention on the problem with the
> >> dominant user/ACL access control paradigm.  Do you (others)
> >> disagree?  If so, can you explain why?
> >
> >     I would see Law #1 as a rather good summary of the problems with
> > existing models.

I agree.

> > It then provides an opening for an aside that the
> > ocap community is convinced that ocaps provide an opportunity to
> > disprove the law.
>No, the "law" is simply nonsense. Consider (non-capability-based)
>scripting languages such as Javascript, if for the sake of argument
>they were properly implemented. Microsoft presumably doesn't mean to
>say that if you go to a web page containing Javascript in IE, then
>it is just fine for your computer to be "not your computer any more".

Right.  Microsoft is referring to ordinary program execution
as with .exe binaries.  It is a fine point, but one could argue
that interpretation of something like Javascript source is not
really "running a program".  Still, one can create environments
in which even binary code can be run safely.  The 'sandbox' concept
certainly is focused on trying to create at least safer execution

For all that, I'm certainly more in David Chizmadia's camp
on this one.  The fact that Microsoft's first 'immutable'
law is still there "on the books" does seem to me quite
indicative that there is a problem in the current market
leading program execution environments.

Sure, sandboxes and the like are efforts to improve
this situation.  To me any such 'virtual machine'
(hardware or software) execution environments don't
address the fundamental issue which is dynamic
management of POLA.

>In general, I don't think we should spend too much time harping on
>about others' mistakes when they are this obvious.

The above statement and your statement about P1-935:

>Jed, I think that you place a much higher significance on this
>paper than the majority of other people here.

provide an opportunity to see if we can test the waters
on current thinking in this area, particularly in the
defense community (e.g. the NSA where I believe work is
still active on SELinux sorts of mechanisms).

Many of us argued against papers like P1-935 (which
as far as I know was the definitive document focused
on capability system vs. alternatives.  If not, please
point to another), the Rainbow documents, etc. at the
time.  Those arguments went for naught and generally
the computer security community continued to pursue
user/ACL based security mechanisms.

Are you suggesting that things are different today?
That is, that the people who I continue to hear
arguing for MACs (e.g. the guy deploying SELinux
who I heard touting it just last week) recognize the
fallacy of the positions taken by P1-935 against

Let me ask - if object/capabilities were to become
more active again, and if perhaps another paper were
written along the lines of P1-935 (evaluating capabilities
against the best computer security criteria of the day),
do you believe the conclusions would be substantively
different?  What about you David Chizmadia?

At 12:36 PM 7/14/2007, David Chizmadia (JHU) wrote:
>     I should note that I still identify closely with that TCSEC
>community - since I was a member of it from 1986-1996. I worked
>closely with many of the people who wrote the IDA document - either
>as a contract manager or a colleague on specific evaluation or
>guideline projects. On the other hand, since 1996 I've been working
>with the OMG and therefore have developed a strong affinity for the
>O-O approach to thinking about designs.

It seems to me that above would suggest that David C is
in a pretty good position to answer my question above.
David C, are you still connected to any of the community
that was involved with TCSEC?  You say that you now have
an affinity for the O-O approach (guessing by that you
include for access control?)  Do you believe the thinking
in 'that other community' (I don't know what else to
say there - I know that guy I heard last week was definitely
still part of that community) has shifted significantly?
Do you believe that there is at least more openness to
the use of object references (ocaps) for communicating
permissions via messages?  All the work that I see is
still diametrically opposed to anything of the sort.
Do you see other work that perhaps you can point us
to that might suggest some support from that direction
for communicable permission tokens?

--Jed  http://www.webstart.com/jed-signature.html 

More information about the cap-talk mailing list