[cap-talk] What *is* a powerbox?

[Jonathan S. Shapiro]

On Sat, 2007-07-28 at 17:21 -0400, David Chizmadia (JHU) wrote:
> Hello all,
> 
> James A. Donald makes the following statement in one of his emails:
> > A powerbox is a user interface for designating entities
> > and granting permissions to access them.  
>
>     Since the term - and I believe, the concept - evolved within the
> cap-talk community, I think that the cap-talk list is a good place
> to come up with a normative definition for "powerbox".

Jame's definition is too narrow. Let me attempt a better one, but let me
first say: James's confusion is very natural. The powerbox idea evolved
during the design of an interactive system. The first powerbox
implementations did operate in roughly the way that James describes, but
the powerbox construct isn't limited in the way that he suggests.

A powerbox is a process that holds, or can obtain, capabilities that are
potentially sensitive (the "guarded capabilities"). One or more
applications have access to the powerbox via capabilities, and are able
to request [copies of] these guarded capabilities. The powerbox
implements a decision procedure by which it will decide whether or not
to transfer the requested capabilities to the application, and if so,
whether it will grant them in full-strength or reduced form, and whether
it will introduce a membrane protocol around the transferred
capabilities.

The decision procedure implemented by the powerbox may be stateful (i.e.
its behavior for current requests may depend on past requests), and it
may incorporate interaction with the user. Neither of these is a
*necessary* requirement. A conventional, rule-based firewall that allows
or refuses connection based on a table of rules may be viewed as a kind
of powerbox.

So: I think James has the basic spirit of the thing right in the
interactive case, but the powerbox idea goes beyond what he says above.
I may have created additional confusion by stating that a powerbox
should be viewed as an extension of a shell. Most people think of a
shell as interactive. When I say "shell", I simply mean some agent
software that is fully trusted to faithfully enact the intentions of its
directing principal.


As to your RBAC example, I confess that I did not read it in detail. I
think that the firewall example above is a clearer example of a mostly
non-interactive firewall.

I think that the notion that a powerbox is ultimately controlled by a
principal is an important part of the powerbox concept. If we allow the
concept to extend to arbitrary membranes having statically defined
policies, then we are merely describing the notion of a security
enforcing subsystem in general, and we shouldn't coin a new term for
that. The descriptive utility of the "powerbox" notion lies in the
presence of user control -- or so it seems to me.

shap