[cap-talk] Capabilities and Freedom vs. Safety
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Jul 26 13:37:30 EDT 2007
On Thu, 2007-07-26 at 18:03 +0100, Toby Murray wrote:
> On Thu, 2007-07-26 at 12:39 -0400, Jonathan S. Shapiro wrote:
> > Toby:
> >
> > Just to confirm that I understand you, your goal here is to reduce the
> > degree of conservatism that is inherent in equating statically
> > determined authority with feasible actions, yes?
>
> I'm trying to fix the problem inherent with equating (an upper bound
> for) authority with acquirable permissions. Acquirable permissions are
> NOT a conservative estimate for authority. They are an underestimate.
> The confused deputy example shows this.
I've been making an unstated assumption here, I just realised.
I've been assuming that, when modelling, one wants to take subject
behaviour into account. But this need not be the case.
Previous models like HRU and SW ignore subject behaviour. In these
models, acquirable permissions is an upper bound for authority. But it's
not a very useful upper bound, since, as the object-cap model
demonstrates, the behaviour of (trusted) subjects is very important for
enforcing real security policies.
Other models like Fred Spiessens' SCOLL take into account subject
behaviour. But in this case, acquirable permissions is no longer an
upper bound for authority.
When reasoning about actual subject behaviours, acquirable permissions
underestimate a subject's (acquirable) authority. If you want to reason
about authority cognizant of subject behaviours (which is required if
you want to reason about capability patterns, for example) then we need
to go beyond acquirable permissions -- i.e. analyses for the safety
problem.
That's what I'm trying to do.
More information about the cap-talk
mailing list