[cap-talk] What Horton cannot do? (Was: mailkey: transfer of accountability...)

David Hopwood david.hopwood at industrial-designers.co.uk
Sat Jun 2 19:49:23 EDT 2007


Jed Donnelley wrote:
[...]
> [NLTSS] was one of the
> implementations that was criticized in this document:
> 
> TRADITIONAL CAPABILITY-BASED SYSTEMS:
> AN ANALYSIS OF THEIR ABILITY TO MEET THE
> TRUSTED COMPUTER SECURITY EVALUATION CRITERIA
> http://www.webstart.com/jed/papers/P-1935/

My view on this paper (including my, admittedly somewhat bluntly
expressed, view of the competence displayed by its authors) has
not changed from what I said in
<http://www.eros-os.org/pipermail/cap-talk/2006-November/005910.html>.

> - along with all other capability systems.
> 
[...]
> What we are seeking is:
> 
> 1.  Practical POLA control of permissions.  We believe
> the most effective way to achieve this value is through
> communicable tokens of permission (objects) that we refer
> to as "capabilities" or object/capabilities.
> 
> and
> 
> 2.  Identification of responsibility for permitted
> actions.
> 
> Any way of achieving the above is fair game.  How do
> you believe the above should be achieved James?  Or
> do you believe there isn't enough value in doing so
> to be worthwhile?  In that case do you believe we
> should just continue to live with the problem of
> viruses and comparable threats from programs running
> with over broad authorities?

It would be a perfectly self-consistent and defensible position to
argue that that the need for 2 was greatly overblown in the historical
criticism of capabilities, and that if we want to be able to provide 2,
we should do so either simply or not at all.

After all, current non-capability systems generally *don't* provide 2
in a usable or reliable way. I would argue that they often provide it
in a way that does more harm than good, by allowing a determined attacker
to frame innocent users. Partly, that is because they fail to usably or
reliably provide 1, and so the mechanisms that are intended to provide 2
can be bypassed or subverted.

My initial reaction to Horton was also that it is undesirably complex
for the job it is doing. Maybe we can find something simpler that will do
effectively the same job. However, I don't agree with James' analysis
that Horton is too complex as a result of the use of mathematical reduction
in its design or description. Mathematics in general, and its use of
reduction-based proofs in particular, has been *wildly* successful; it's
the bedrock of modern science and technology.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>



More information about the cap-talk mailing list