[cap-talk] A better reference for the "capabilities propagate too easily" argument

Jed Donnelley capability at webstart.com
Tue Jul 31 00:45:03 EDT 2007 

At 07:25 PM 7/30/2007, David Hopwood wrote:
>Jed Donnelley wrote:
> > The way I see the Horton work is that it is responding to one
> > of the criticisms of object/capability computing that we saw
> > in the various TCSEC criticisms, namely that it isn't possible
> > to track/log/audit who was responsible for what with capabilities.
> > Horton was a direct response to that criticism that came out
> > of that paper.
>
>(i.e. "Traditional Capability-Based Systems: An Analysis of their Ability
>to Meet the Trusted Computer Security Evaluation Criteria")
>
> > If we don't at least mention the criticism and the paper then why Horton?
>
>No-one should care about that paper, and based on citations it appears that
>hardly anyone does [*]. A much better paper to cite in this context is
>Saltzer and Schroeder's "The Protection of Information in Computer Systems"
>(1974, revised 1975), on-line at
><http://web.mit.edu/Saltzer/www/publications/protection/>.
>
> >From section II.B
><http://web.mit.edu/Saltzer/www/publications/protection/Descriptors.html>:
>...

I agree with the things you say about the Saltzer and Shroeder paper.
It is, as you say, much more even handed in it's comparison of
the capability and access control list approaches to access control.
I (not surprisingly) regard it's treatment of capabilities as
over emphasizing the negative and underemphasizing the positive
and pretty much visa versa for access lists, but still it is
relatively even handed.

Remember that this paper was written in 1974/75.  There were a
number of capability based systems whose designs were initiated
after this paper with a full understanding of the contents of
this paper.  Hydra, Demos, KeyKOS, NLTSS, Amoeba, and Monash,
come to mind.  The Saltzer and Schroeder paper was generally
an academic paper whose focus was being all inclusive.  It isn't
surprising that it was widely cited.

By contrast the evaluation of capabilities against the
TCSEC criteria noted above was published in 1987 when
capability systems were by most considered on their
last legs.  This was the period of the Orange Book
and the TCSEC.  A time when government (and to a lesser
extent defense) notions of computer security were
generally viewed as the only game in town.  The TCSEC
analysis of capabilities was done against the backdrop
of the Boebert criticism:

Boebert, W. E., ‘‘On the Inability of an 
Unmodified Capability Machine to Enforce the *-
Property,’’ Proc. 7th DoD/NBS Computer Security 
Conference, September 1984, pp. 291-
293.

and the follow-up by:

R. Kain and C. Landwehr.
On Access Checking in Capability-Based Systems.
In Proceedings of the 1986 IEEE Symposium on 
Security and Privacy, pages 66-77, May 1986.

(Note - Richard Kain was at the University of Minnesota and
Carl Landwehr was at the Naval Research Laboratory - to me a
suggestive collaboration)

at a time when the PSOS (SRI) development that had started
with a capability based design had given up on using
capabilities.

There didn't really need to be any citations of the TCSEC
analysis of capabilities because it was really just
stating common knowledge and providing essentially an
official coup de gras for the use of capabilities for
access control.

After that time (say 1987) I know of no designs initiated
using capability access control until the attempt to
revive some of the KeyKOS concepts in EROS.  When did
that work start?  Late 1990s?  Perhaps others can help
me out with references to capability based design work
that did start during this time period (1986 - 1996?)?

While I agree that the TCSEC analysis isn't as widely
referenced in academic papers, I still don't know of a
better reference to point to when discussing what I
would call the demise of capability based access control
during the 1980s that continued through the 1990s - when
there wasn't even enough interest to publish, let alone
to start new system designs.  During that period I believe
capability based access control (except for the lingering
presence of some older capability based systems like
KeyKOS, Amoeba, NLTSS, Monash, and perhaps Mach with
seemed to later eschew it's capability base after the
middle 1980s) really did become just 'of academic interest.'

I'm really taking an extreme view here in the hopes that
others will reign me in if I'm over stating this case.
The one exception I've heard of is referenced in the
Horton paper:

L. van Doorn, M. Abadi, M. Burrows, and E. P. Wobber.
Secure Network Objects. In Proc. 1996 IEEE Symposium
on Security and Privacy, pages 211–221, 1996.

which of course avoided the poisoned operating system
level and the poisoned "capability" term and instead
focused on more acceptable language level objects and
mechanisms for making them available across a network.
(to me much like DCCS, the Mach Network Server, and
MarkM's vats).


Still, despite the above, one way to read your suggestion
is to point to a reference on capabilities that *is*
more balanced.  While such a reference can't answer
the question about why capability designs disappeared,
it could at least offer some points for comparison
(e.g. that of 'loose propagation')?

For me the Saltzer and Schroeder doesn't seem to be
very helpful in this regard.  It seems a bit too
much effected by it's time of publication, by the
Multics concepts (e.g. micro coded instruction sets,
etc.).  If you look at their discussion of ACLs,
for example, it shows up in what today seems a
rather strange form where they assume hardware
mechanisms for allowing or disallowing references
to segments based on what "principal" identifiers
are in ACL tables referenced by the hardware.

Do you feel that the Saltzer and Schroeder's comparison
is accessible today and a better reference for actual
reading about the relative merits of capabilities and
ACLs for access control?  If we are getting to the point
where capability based access control is again being
seriously considered, I think perhaps a comparison
done in a more modern context would be helpful.

 From my perspective we are working out some of the
detailed points for such a modern comparison on the
cap-talk list.  I believe such points will be needed
to justify any modern use of capabilities for access
control.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list