[cap-talk] Capabilities and Freedom vs. Safety

David Chizmadia (JHU) chiz at cs.jhu.edu
Wed Jul 25 08:46:48 EDT 2007


I had pretty much concluded that you would say that you agree with
both statements, based on your responses earlier this morning :-(

I would strongly encourage you to voluntarily discontinue active
discussion on this list because your now clearly stated assumptions
are diametrically opposed to the assumptions of pretty much everyone
else who is a frequent contributor.

I will attempt to explain my reason for making such a blunt
suggestion could easily be taken as an ad-hominem attack ...

Speaking specifically for myself (but believing that most others on
this list share my perspective), I participate in cap-talk because I
am convinced that access control and management schemes that attach
persistent ACI (Access Control Information) to the access targets
(usually referred to generally as Ambient Authority systems, here)
have intrinsic design flaws that inevitably result in exploitable
vulnerabilities in *any* implementation! The fundamental flaw, of
course, being the separation of the mechanism for referring a target
from the mechanism for specifying the authority needed to access
that target. This leads to well-known intrinsic flaws -
time-of-check-to-time-of-access (TOCTOA) and Confused Deputy being
the two that most immediately come to mind. I participate in the
cap-talk (and e-lang) mailing lists because I interpret their
charters to say that they are venues in which to explore the
hypothesis that object capability systems (OCaps) can provide all of
the functions of ambient authority systems, while not having any (or
possibly, most) of the intrinsic design flaws. There is also a
related, but distinct, hypothesis that an application designed and
implemented in the most "natural" way on an OCap system has
measurably better performance and reliability than than the same
application designed and implemented in the most "natural" way on an
ambient authority system.

I am willing to admit that either or both of the hypotheses are be
wrong - either in whole or in its details - but only on the basis of
either solid mathematical analysis or empirical evidence gathered
from repeatable and reproducible experiments.

So far, the analysis has supported the part of the hypothesis that
OCaps are not subject to most of the AA design flaws. Covert
channels are the main one remaining and there is strong empirical
and analytical evidence that covert channels are intrinsic to any
system in which resources are shared. With the availability of the E
language and the Joe-E framework and the imminent availability of
Coyotos, it should be possible to start practical experiments in
developing core applications for these OCap platforms based on the
functions found in the equivalent applications on existing AA
platforms. As these OCap applications are deployed, we can also
start to collect data to support analysis of the second OCap hypothesis.

In a pragmatic sense, your situation is akin to the case of an
evangelical Christian minister discussing how to live life as a
member of the faithful with a group of Muslim imams. There is
occasional agreement on extremely minor details, but fundamental
assumptions (doctrine) about the faith being lived are too disjoint
for sustainable communication to occur and appeals to Christian
doctrine in the minister's arguments irritate the hell out of the


More information about the cap-talk mailing list