[cap-talk] Selling capabilities programming
Jonathan S. Shapiro
shap at eros-os.com
Wed Jul 25 12:25:44 EDT 2007
On Wed, 2007-07-25 at 21:21 +1000, James A. Donald wrote:
> > And as confinement has been shown to be quite
> > fundamental in being able to verify some security
> > properties of a system,
> The security properties of programs are not changed by
> whether they are "confined" in this sense.
I have realized recently that I (and others) have used the term
"confinement" sloppily in the past weeks. When speaking of definitions,
I have been careful to use the term correctly (confinement = all
permissions providing outward communication are authorized). But when
speaking of the impact of confinement on systems I have sometimes used
the term to mean "having no initial write authority to anything."
In my mind, there are three variants of confinement that are interesting
1. mere confinement: I know what the authorities are. They may include
broad authorities. This is fairly weak, because my choices are
very limited: I can run the program or I can choose not to run
2. strict confinement: I know that the program has no initial write
authority to anything. In consequence, I am in full control of
where it can send information.
3. TCB confinement: I know that the only write authorities initially
held by the program are to "trusted subsystems". For example,
the program may have access to a known directory instance.
The directory instance is not confined, but it executes trusted
code, and I happen to know that this directory instance contains
(by construction) only capabilities to constructors of confined
The Coyotos equivalent to /usr/bin falls in this category.
TCB confinement is less strong than strict confinement, but
for pragmatic purposes we may consider them equivalent.
Now. What you say above is strictly true: confinement (any kind) does
not alter the intrinsic properties of the program.
However: strict confinement or TCB confinement DO significantly alter
the environment in which the program executes. In many cases this
reduces the authority of the program to the point where even a hostile
program is effectively innocuous.
More information about the cap-talk