[cap-talk] Capabilities and Freedom vs. Safety

Jonathan S. Shapiro shap at eros-os.com
Fri Jul 20 11:27:29 EDT 2007 

On Thu, 2007-07-19 at 21:44 -0700, David Wagner wrote:
> One of the intended uses
> of capabilities (in some systems) is that they enable construction of
> more secure applications.  In that case, propagation may be controlled
> by the structure of the application logic, not by Aunt Vera.
> 
> This is an important distinction.

Yes. And at this point we should note a philosophical issue. I ran into
it while talking with the Hurd folks. The following is *my*
characterization of the discussion. I am sure that I will not represent
their views quite right, but I shall try. Definitions taken from

  http://www.naciente.com/essay36.htm

mainly because I found him more concise and clearer than most.

Many people on the Hurd list want to maximize "freedom". Until recently,
I failed to appreciate that they were using "freedom" as a technical
term. Freedom means "the exemption from control by some other person, or
from arbitrary restriction of specific defined rights like Worship or
Speech".

In consequence, many of the Hurd group believe that the user should be
in total control of their systems. In this view, it should not be
possible for a vendor to hide their code from the machine owner, nor
should it be possible for any program to guard itself from inspection by
the owner. They argue that it is stupid to hide things from someone who
can scan the drive. I disagree, but their position is consistent.

Unfortunately, the desire for freedom is not perfectly aligned with the
need for safety. By safety, I mean "the need to preserve and maintain an
environment that preserves the ability to *exercise* freedom
consistently and effectively in practice".

The problem is that in a computing system which is totally free, it is
very easy to take actions whose consequence is that freedom is
unintentionally lost and/or compromise is assured. Most users are not
competent to determine which of these actions are which, and some are
surprisingly counter-intuitive.

If users lived in non-networked worlds, it might be reasonable to
declare "caveat emptor" and let them hang themselves. We would sell
fewer systems that way, but there is no ethical problem with that
position.

In the real world, systems are networked. One consequence is that your
mistakes have a negative impact on me, in the sense that your
compromised system becomes a basis for attacking mine. The interaction
of your freedoms and my freedoms must therefore be considered. In
consequence, some of the actions you might take on your machine cease to
be exercises of freedom and begin to be exercises of license: actions
that undermine the freedom of others or the liberties of society.

Determining where the line lies is a constant balancing act, but I
believe that it is a responsibility of knowledgeable designers to assist
in maintaining the balance of freedoms for all users. In consequence, I
believe that it is ethically obligatory to design limitations into our
systems to prevent inadvertent or intentional abuse where we know how to
do so in a way that (on balance) respects the need for legitimate uses.
A key element of this is creating systems in which naive users can be
"obliviously safe", and even more so, in which naive users cannot
undermine the oblivious safety of other, connected users.


I should add here that the Hurd folks have proceeded further and more
successfully in their architecture path than I had believed possible. I
still don't think that they are building what I want, but there are
valid reasons for their choices. Ultimately, my disconnect with their
architectural philosophy is that they do not appear to accept the goal
of supporting the oblivious safety of others. Perhaps that is not fair;
it is possible that either they haven't gotten this far in their
thinking yet, or that they have addressed the issue in some way that I
have not yet discerned.

David Wagner's words above capture the essential technical issue well:

> ... propagation may be controlled
> by the structure of the application logic, not by Aunt Vera.

I would add: "or by the structure of the *system* logic". I would add
further that support for oblivious safety cannot be achieved without
such controls.


shap

More information about the cap-talk mailing list