[cap-talk] Selling capabilities programming
Jonathan S. Shapiro
shap at eros-os.com
Fri Jul 20 11:41:14 EDT 2007
On Fri, 2007-07-20 at 15:41 +1000, James A. Donald wrote:
> Secure systems typically come under attack at the weakest link - the
> user (who is usually also the system administrator). If it was not for
> those dang end users, it would be easy to make a 100% secure system. :-)
This is not correct.
Secure systems typically come under attack at the cheapest point of
attack. This is *often* the user, but not always. It depends on what the
attack is trying to achieve and what means are available to the
I definitely agree that users are the most common "low cost point of
attack". In fact, they are also the most common *source* of attack. This
is why the distinction between freedom and oblivious safety is an
important thing to think about in designs.
I merely raise the point because we don't want to ignore other sources
> Thus an elegant explanation of why "my great idea is 100% secure, and
> other great ideas are not", needs to viewed with extreme suspicion when
> an account of end users is entirely absent from both ideas.
[Quotes inserted above by me]
Umm. Sure. But I haven't seen *anybody* here claim anything like that.
> The user is where you need to start...
> Also what I have in mind is Plash plus bunch of other stuff: Plash plus
> a cap shell in place of bash shell, plus something very like Synaptic
> Package manager, but which would install programs inside appropriate
> Plash sandboxes.
James: this is really very funny, mainly because you don't know the
history of this stuff. Plash was an attempt to retrofit capability ideas
into the UNIX system in order to make things a little safer. It started
from our discussions about capability shells. Those, in turn, followed
from earlier discussions between Mark Miller and myself. I'm sure that
we were not the first.
The specific ideas for Plash came out of my laboratory at Johns Hopkins.
Mark Seaborn did not stay with the lab, but he did pursue the plash
work, and it is very good work.
What is funny here is how you are pounding the table and ranting about
how we are ignoring what is important, when in fact we were paying
attention and doing something about it many years before you came on the
> > Does Joe-E meet these criteria?
> You don't present a language to end users. You present a language to
> developers, who may develop, or fail to develop, a system that will be
> presented to end users and used by end users.
Umm. James? Have you noticed that 'sh' and 'csh' are languages? And
technically, the MS Desktop is a language. One expressed in clicks, to
be sure, but still a language.
What you are really arguing is that most end users should not be
presented with a *programming* language but rather with a command
language. That is: that the two should not be merged.
I have mixed feelings about this view. Much of me tends to agree with
you, but it creates a problem. When developers do not see an environment
very similar to the ones that users work in, they quickly cease to
appreciate how the users see that environment.
> Writing secure software is an easy problem.
More information about the cap-talk