[cap-talk] Capabilities and Freedom vs. Safety
Jonathan S. Shapiro
shap at eros-os.com
Thu Jul 26 14:02:23 EDT 2007
On Thu, 2007-07-26 at 18:37 +0100, Toby Murray wrote:
> I've been making an unstated assumption here, I just realised.
>
> I've been assuming that, when modelling, one wants to take subject
> behaviour into account. But this need not be the case.
>
> Previous models like HRU and SW ignore subject behaviour. In these
> models, acquirable permissions is an upper bound for authority. But it's
> not a very useful upper bound, since, as the object-cap model
> demonstrates, the behaviour of (trusted) subjects is very important for
> enforcing real security policies.
Toby knows this, but for the benefit of others:
The modeling techniques of HRU and similar static estimation approaches
"handle" trusted subjects by building their behavior into the system's
operational semantics and then dropping those subjects from the graph.
This is a heavy, imprecise hammer.
[I infer that] Toby's CSP approach is trying to achieve a higher degree
of modularity about this sort of thing, which seems like a useful step
forward.
> Other models like Fred Spiessens' SCOLL take into account subject
> behaviour. But in this case, acquirable permissions is no longer an
> upper bound for authority.
Agreed. Some form of transitive causal analysis is required. True
accuracy requires either value-flow analysis across processes or
conservative assumptions about values (in the form of "choose") or a
hybrid. It is a much more complex analysis.
> ..That's what I'm trying to do.
Cool
shap
More information about the cap-talk
mailing list