[cap-talk] Selling capabilities programming

[David Hopwood]

James A. Donald wrote:
> James A. Donald wrote:
>  > > If two programs are permitted to communicate, the
>  > > security properties are the same as if they can
>  > > transfer capabilities unobserved and undetectably.
> 
> David Hopwood wrote:
>  > You are mistaken. For example, consider the case where
>  > the communication is by a one-way data-only channel.
>  > (One-way implies no acknowledgements.)
> 
> Commonly, when a web server comes under attack, a bad
> message is sent to the web server that causes it to
> execute script contained in the message at a higher
> level of privilege than it deserves.  Often the bad
> message is sent from a zombie machine, whose master has
> no interest in the response.
> 
> One such attack had the language parameter in the http
> request set to a string about fifty thousand
> kilocharacters long.  The request was internally
> reflected from one internal corporate server to the
> other, causing the string to be interpreted as script
> originating from within the corporation.  Needless to
> say, no response to this http request was expected or
> sent.

You said, without making any further restrictions, that two
programs that are permitted to communicate always have the
same security properties as if they can transfer capabilities
unobserved and undetectably.

This is not true in general for one-way communication. You
responded to that with some specific example. I don't see the
relevance of the example (because it is not transferring
capabilities -- indeed, capabilities are not involved at all),
but that is beside the point. No single example would be
sufficient to support your statement, which is universally
quantified over all pairs of programs, all security properties,
and all possible communication channels.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>