[cap-talk] Selling capabilities programming
James A. Donald
jamesd at echeque.com
Sat Jul 21 19:47:25 EDT 2007
Jonathan S. Shapiro wrote:
> Consider a hostile Word scripting virus. It somehow
> comes in to possession of a sensitive authority that
> it is not supposed to have. It propagates and
> preserves this authority by writing it to and from
> word files as they are stored
>
> The only reason this propagation is possible is that
> the capabilities are not protected.
No, the reason this propagation is possible is that the
capability is durable. What is Word doing with a
durable capability, other than the capability to access
its own configuration files?
If capabilities are data, addresses in a sparse address
space, capabilities are secrets, often secrets used for
symmetric encryption. It is standard procedure in
cryptography to continually regenerate and discard all
such secrets. Durable secrets are always regarded as a
problem, and durable shared secrets are always regarded
as a special problem, a weakness and a flaw. Sure,
durable capabilities should not be represented by
durable shared secrets if this can at all be avoided.
And also the pope is Catholic and bears shit in the
woods.
Further, if word possesses a durable capability that can
be abused, virus does not *need* to write it - it can
just use it regardless.
Thus in your example, protection does not buy you much -
if non durable, capability cannot be propagated by
writing to word files, if durable, does not need to be
written to doc files.
More information about the cap-talk
mailing list