[cap-talk] Selling capabilities programming

Jonathan S. Shapiro shap at eros-os.com
Wed Jul 25 12:25:44 EDT 2007 

On Wed, 2007-07-25 at 21:21 +1000, James A. Donald wrote:

>  > And as confinement has been shown to be quite
>  > fundamental in being able to verify some security
>  > properties of a system,
> 
> The security properties of programs are not changed by
> whether they are "confined" in this sense.

I have realized recently that I (and others) have used the term
"confinement" sloppily in the past weeks. When speaking of definitions,
I have been careful to use the term correctly (confinement = all
permissions providing outward communication are authorized). But when
speaking of the impact of confinement on systems I have sometimes used
the term to mean "having no initial write authority to anything."

In my mind, there are three variants of confinement that are interesting
to consider:

1. mere confinement: I know what the authorities are. They may include
     broad authorities. This is fairly weak, because my choices are
     very limited: I can run the program or I can choose not to run
     the program.

2. strict confinement: I know that the program has no initial write
     authority to anything. In consequence, I am in full control of
     where it can send information.

3. TCB confinement: I know that the only write authorities initially
     held by the program are to "trusted subsystems". For example,
     the program may have access to a known directory instance.
     The directory instance is not confined, but it executes trusted
     code, and I happen to know that this directory instance contains
     (by construction) only capabilities to constructors of confined
     subsystems.

     The Coyotos equivalent to /usr/bin falls in this category.

     TCB confinement is less strong than strict confinement, but
     for pragmatic purposes we may consider them equivalent.

Now. What you say above is strictly true: confinement (any kind) does
not alter the intrinsic properties of the program.

However: strict confinement or TCB confinement DO significantly alter
the environment in which the program executes. In many cases this
reduces the authority of the program to the point where even a hostile
program is effectively innocuous.


shap

More information about the cap-talk mailing list