[cap-talk] Selling capabilities programming

[James A. Donald]

James A. Donald wrote:
 > > > > If two programs are permitted to communicate,
 > > > > the security properties are the same as if they
 > > > > can transfer capabilities unobserved and
 > > > > undetectably.

David Hopwood:
 > > > You are mistaken. For example, consider the case
 > > > where the communication is by a one-way data-only
 > > > channel. (One-way implies no acknowledgements.)

James A. Donald:
 >> Commonly, when a web server comes under attack, a bad
 >> message is sent to the web server that causes it to
 >> execute script contained in the message at a higher
 >> level of privilege than it deserves.  Often the bad
 >> message is sent from a zombie machine, whose master
 >> has no interest in the response.
 >>
 >> One such attack had the language parameter in the
 >> http request set to a string about fifty thousand
 >> kilocharacters long.  The request was internally
 >> reflected from one internal corporate server to the
 >> other, causing the string to be interpreted as script
 >> originating from within the corporation.  Needless to
 >> say, no response to this http request was expected or
 >> sent.

David Hopwood wrote:
 > You said, without making any further restrictions,
 > that two programs that are permitted to communicate
 > always have the same security properties as if they
 > can transfer capabilities unobserved and undetectably.
 >
 > This is not true in general for one-way communication.
 > You responded to that with some specific example. I
 > don't see the relevance of the example (because it is
 > not transferring capabilities -- indeed, capabilities
 > are not involved at all),

In the case described, the effect on security is the
same as if all capabilities of the second corporate
server were transferred to the attacker untraceably
through the zombie.