[cap-talk] Capabilities and Freedom vs. Safety
James A. Donald
jamesd at echeque.com
Wed Jul 25 19:24:38 EDT 2007
> I would strongly encourage you to voluntarily
> discontinue active discussion on this list because
> your now clearly stated assumptions are diametrically
> opposed to the assumptions of pretty much everyone
> else who is a frequent contributor.
Bitfrost seems to be implemented in the way I recommend,
and in accordance with the principles I recommend, and
is the only contribution anyone has made that stands any
immediate prospect of becoming widely used.
> Speaking specifically for myself (but believing that
> most others on this list share my perspective), I
> participate in cap-talk because I am convinced that
> access control and management schemes that attach
> persistent ACI (Access Control Information) to the
> access targets (usually referred to generally as
> Ambient Authority systems, here) have intrinsic design
> flaws that inevitably result in exploitable
> vulnerabilities in *any* implementation! The
> fundamental flaw, of course, being the separation of
> the mechanism for referring a target from the
> mechanism for specifying the authority needed to
> access that target. This leads to well-known intrinsic
> flaws - time-of-check-to-time-of-access (TOCTOA) and
> Confused Deputy being the two that most immediately
> come to mind.
What is a powerbox?
It is a privileged piece of code that does *not*
communicate the very great and durable privileges it
The advantage of being able to communicate privileges is
that communicable privileges can be small and transient,
can be a small subsets of the great and durable
privilege possessed by the originating code - can be
created just in time, and discarded as swiftly.
If some code has great and durable privileges, no
advantage to those great and durable privileges being
communicable, and considerable disadvantages.
More information about the cap-talk