[cap-talk] Delegating Responsibility in Digital Systems: Horton's "Who Done It?"

Wed May 16 01:13:27 EDT 2007

At 7:04 PM -0700 5/15/07, Mark S. Miller wrote:
>Jed Donnelley, Alan Karp, and I would like your comments on our draft paper
>
>          Delegating Responsibility in Digital Systems:
>                    Horton's "Who Done It?"
>
>found at <http://www.erights.org/download/horton/document.pdf>
>
>We plan to submit it to USENIX HotSec 07 (Hot Topics in Security)
>http://www.usenix.org/events/hotsec07/cfp/
>which has a five page limit. Submission deadline is 6/1/2007.
>
>We think this paper is important. Your comments and suggestions will be
>greatly appreciated. Thanks!

I agree this is important. Good work!

I like that I can flip the pages and see the transitions between the 
three figures.

In Figure 1, there are two rectangles labeled "Bob". Are these two 
different objects? If not, did you make separate boxes just to avoid 
a tangle of arrows? It's a little confusing either way.

makeproxy does not seem to use its first parameter.

What if B happens to have a getGuts method and A says b.getGuts()? It 
appears that P1 won't forward that. I can see how to fix this, but 
your simplified code doesn't do it.

It isn't clear what the purpose of the "t" in p3Desc is.

I'm hoping the answer to most of these questions is that you had to 
oversimplify to cram this into five pages, and these questions are 
answered in the Java code, which I haven't read.

There's a fair amount of calling between the mutually suspicious 
Alice, Bob, and Carol. As previously discussed (around 
http://www.eros-os.org/pipermail/cap-talk/2006-December/006278.html), 
there's no guarantee that these calls will return soon, if ever. For 
example, Carol has the ability to delay forever the message from A to 
B. In the absence of Horton, Carol is limited to delaying anyone who 
*invokes* C, but not anyone who merely *passes* C around. I doubt 
there's any way around this without something mutually trusted. In 
some concurrency models (KeyKOS/EROS/CapROS), the lack of a guarantee 
of a return will be a problem.

At line 03, P1 calls an arbitrary capability passed by A. It might be 
wise for P1 to use a primitive such as MyCap? to ensure it is talking 
to another proxy.

Nits:

"messages in flight" - cute, but "messages in transit" is more accurate.

"reflection", "reflective" - a term I'm not familiar with; did I 
sleep through language class?

"P1's access to S3 would enable Alice to fool Carol into blaming Bob 
for messages Alice sends to S3" - clear enough; the phrase evidences 
MarkM's precise style.

References: Is it customary to not give URLs for papers that are 
available online? I'm far from any library; if it isn't online, I 
don't read it.

skyhunter.com/marcs/SecurityPictureBook.ppt - would you please make 
this available in a non-proprietary format?