[cap-talk] Capabilities and Freedom vs. Safety

Jonathan S. Shapiro shap at eros-os.com
Wed Jul 25 13:49:09 EDT 2007 

On Wed, 2007-07-25 at 13:11 -0400, David Chizmadia (JHU) wrote:

Can you expand "AA"?

>     Using this mental model, I would claim that if the AA and OCap
> models (irrespective of whether each is consistent and complete) are
> not diametrically opposed in a formal modeling sense, they are
> sufficiently far apart to seem that way to the casual observer.

Yes and no. I have not seen any advocate of ACL systems deny the math
when it is presented to them. In this sense, everyone really does agree
on what these things mean mathematically.

The point of disagreement seems to be about whether the math is relevant
to the problem that the user (or more likely in this case the
adminstrator) wants to solve.

  Administrator: I want to be able to disable user A's access to data X.
  Me: If A can communicate with B, and B has access to X, that is not
      possible. The only way to get that is to turn off A's account
      entirely.
  Administrator: I want to do it anyway.
  Me: And I want a pony for Christmas.

The root problem, I think, is that administrators and users tacitly
accept Microsoft's First Law, which may be paraphrased as:

  If you run hostile code on a Microsoft system you're screwed.

What the administrators accept is a consequent of this:

  .. therefore I should work real hard to control what code gets
  installed, and having done so **I shall proceed on the assumption
  that the code obeys the user**.

  [Or more precisely, that I can draw a neat line between code that
   does and code that does not.]

There is a second tacit assumption made in all human organizations:

  Most of the participants are trying to comply as best they can.
  They will violate policy locally when this is common sense, but
  they will attempt to do sensibly.

  Consequent: if A get's kicked off the X access list, and A goes
  to B, then B is going to ask why, and is *probably* not going to
  knowingly run a proxy agent for A.

If you proceed from these two assumptions, then the "disable A's access"
really *is* reducible to the ACL problem, because you are trusting both
B and B's software.

Of course, you have made two false assumptions by that point. The
problem is that these assumptions are only falsified in practice by a
small fraction of programs and users. Humans are very bad at reasoning
about sensible behavior in the face of low-likelihood events.


shap

More information about the cap-talk mailing list