[cap-talk] Capabilities and Freedom vs. Safety

David Chizmadia (JHU) chiz at cs.jhu.edu
Tue Jul 24 22:18:49 EDT 2007


James,

I can read (at least) two possible meanings into your statement that:

> ... every durable privilege is a security flaw.

On my first through third readings, I interpreted it to mean that a
system that you would consider to be "properly" engineered should
never contain durable privileges, since their durability is
intrinsically insecure.

On my fourth and fifth readings, I noticed your next statement that:

> Any program that do(es) enough to be useful, can do enough
> to harm you.  The point is to reduce the potential harm,
> and to detect it, not to eliminate potential harm.

and realized that you might have meant to say that all function in a
system can be used for either "good" or "evil" intent. Such an
interpretation is logically consistent with the observation (which I
heard from Mario Tinto in the late '80s) that "one only has a
security problem when sharing is required in a system."

Would you please clarify which meaning you intended.

-DMC



More information about the cap-talk mailing list