[cap-talk] What *is* a powerbox?

[David Wagner]

Jonathan Shapiro writes:
>A powerbox is a process that holds, or can obtain, capabilities that are
>potentially sensitive (the "guarded capabilities"). One or more
>applications have access to the powerbox via capabilities, and are able
>to request [copies of] these guarded capabilities. The powerbox
>implements a decision procedure by which it will decide whether or not
>to transfer the requested capabilities to the application, and if so,
>whether it will grant them in full-strength or reduced form, and whether
>it will introduce a membrane protocol around the transferred
>capabilities.
>
>The decision procedure implemented by the powerbox may be stateful (i.e.
>its behavior for current requests may depend on past requests), and it
>may incorporate interaction with the user. Neither of these is a
>*necessary* requirement.

Okay.

>A conventional, rule-based firewall that allows
>or refuses connection based on a table of rules may be viewed as a kind
>of powerbox.

To me, the rule-based firewall seems a somewhat different sort of beast.
Let me see if I can flesh out why I have that instinctive reaction, and
see whether there is anything to my instinctive reaction or not.

Assume we want to protect access to a resource R.  Let me distinguish
two ways we might implement this.

Scenario #1:

Initially, Pow has a capability to R and Alice has a capability to Pow.
When Alice wants to access R, she contacts Pow and engages in some protocol
to request a capability to R.  Pow decides whether Alice is entitled (e.g.,
by asking a human) and then possibly returns a capability to R to Alice.
Once Alice receives the capability she can use it freely without any
further involvement from Pow.  Pictorially:

   R <--- Alice <---> Pow

Scenario #2:

Initially, Mon has a capability to R and Alice has a capability to R.
When Alice wants to access R, she contacts Mon and asks R to perform the
action.  Mon decides whether that action is permissible and if so performs
it directly upon R.  Alice never gains an unmediated capability directly
to R; all of Alice's intereactions with R are mediated by Mon.

   Alice ---> Mon ---> R

The classic type of powerbox falls into Scenario #1.  A rule-based
firewall seems to fit more into Scenario #2.  I'm tempted to say that
Scenario #1 uses a powerbox while Scenario #2 uses a reference monitor
(hence the choices of the names Pow and Mon).  To be more precise, I'm
tempted to say that Pow is a powerbox but is not reference monitor;
and that Mon is a reference monitor but not a powerbox.

Would you agree with this?  Is this kind of distinction at all useful?

P.S. I am, for the moment, ignoring the case where the powerbox
returns a capability wrapped in a membrane; to simplify matters, I am
for the moment focusing only on powerboxes that either return a
capability or don't.