[cap-talk] "Secure Network Objects" - suffering capabilities, not

[Jed Donnelley]

Mark S. Miller wrote:
> Jed Donnelley wrote:
>> I was interested to read the Network Objects paper that you 
>> referenced (Birrell, Nelson, ...). One thing I looked for in that 
>> paper and didn't see was any reference to access control or to 
>> encryption. It seems to me that this basic mechanism (sort of 
>> membrane, whether to serialize or not) has been written about and/or 
>> implemented enough that it might be time for a comparison article/paper.
>
> Thanks for catching this. I cited the wrong paper. I meant to cite:
>
>     L. van Doorn, M. Abadi, M. Burrows, and E. P. Wobber.
>     Secure Network Objects. In Proc. 1996 IEEE Symposium
>     on Security and Privacy, pages 211–221, 1996.
>
> But it's good you read the other paper, as this paper builds on that 
> earlier one. When you read this paper, notice in particular their 
> discussion of the Identity type.
>
In the Secure Network Objects paper I particularly noted:

"However, capabilities suffer from the well-known confinement problem: 
it is hard to keep them sufficiently secret."

They go on to say:  "The support for ACLs allows implementors to limit 
this problem, and to use identity-based security whenever that is 
appropriate, in particular for auditing."

I believe the above really gets to the crux of what we are pointing out 
with the Horton paper:

1.  Far from suffering from a "confinement problem," capabilities make 
tighter confinement possible (POLA) while recognizing that conspiring 
communicators can share authority in any system, and
2.  Capabilities can support identities and even identity based access 
control better than ACLs can (better in that responsibility can be 
assigned to both sender and receiver).

Maybe this shows up in the next paper after Horton, but I wanted to 
mention it.  I'll cc cap-talk with this message because I think it of 
more general interest.  Perhaps it can raise some anticipation for the 
Horton draft.

--Jed