[cap-talk] Capabilities and Freedom vs. Safety

Jonathan S. Shapiro shap at eros-os.com
Thu Jul 26 13:57:49 EDT 2007 

On Thu, 2007-07-26 at 18:03 +0100, Toby Murray wrote:
> On Thu, 2007-07-26 at 12:39 -0400, Jonathan S. Shapiro wrote:
> > On Thu, 2007-07-26 at 16:39 +0100, Toby Murray wrote:
> > 
> > > This of course depends on one's definition of "adequate". However, my
> > > definition of adequate includes the ability to discover when
> > > (subject/object) Alice has the authority to invoke Bob but can't acquire
> > > the permission to do so. This requires (counterfactual) causal reasoning
> > > in order to make this determination. (I know you know, but for the
> > > benefit of anyone else reading) we've discussed this somewhat recently
> > > on the list. My own work with CSP is trying to do exactly this.
> > 
> > Toby:
> > 
> > Just to confirm that I understand you, your goal here is to reduce the
> > degree of conservatism that is inherent in equating statically
> > determined authority with feasible actions, yes?
> 
> I'm trying to fix the problem inherent with equating (an upper bound
> for) authority with acquirable permissions. Acquirable permissions are
> NOT a conservative estimate for authority. They are an underestimate.
> The confused deputy example shows this. 

I agree. Acquirable permissions are equivalent to authority only under
the "maximum collaboration" assumption (all processes will collaborate
in attack by sharing the capabilities that they hold). This is the
assumption made by the confinement verification proof, for example.

> This demonstrates that analyses for the safety problem provide inherent
> underestimate of a subject's authority. This is what I want to overcome.

I disagree. The safety property is, in some sense, misnamed. When the
answer comes out "cannot prevent propagation", you are done (with an
undesired outcome). When the answer comes out "can prevent propagation",
you aren't done yet. At that point you have to look at *particular*
configurations and see if those configurations do, in fact, prevent the
propagation in question.

So I don't think that it is an underestimate. It is a negative litmus
test, not a positive litmus test.


shap

More information about the cap-talk mailing list