[cap-talk] Architectural Choices for Security - moving forward

[Jed Donnelley]

On 11/12/2007 10:08 AM, ken wrote:
> Mark et al
> For 35 years Moore's Law has changed everything except Computer Security.

I agree that computer security is in a sorry state.  However, I
think many areas of computer technology haven't benefited directly
from Moore's Law improvements.  Almost any software area (which
have progressed, but mostly independent of Moore's Law) seems
to fit into that category.

> We are working with a 40 year old paradigm that failed to adapt to new needs,
> changes in scope and performance

Agreed.  I believe POLA is an obvious and workable paradigm shift
that is (and was) available to help - though it seems curiously
difficult to get more POLA adopted.  I have my thoughts for
some of that difficulty (e.g. see my approach to move forward
below), but others may differ.

> and no corporation knows how or dare fix it. 

Of course it is people who will have to do the fixing, whether
from corporations or academia or government or wherever.  Many
of the people on this list work for corporations (e.g. MarkM
with Google, Alan Karp, Marc Steigler, and Tyler Close for HP,
etc.), so I wouldn't be inclined to leave corporations out of
the solution.

> So I put that presentation together to elevate the level of understanding in
> my local user community and start to work from the grass roots. There is a
> big need to fill a serious void in understanding. 

Agreed!

> I now believe that Computer Security and Information Protection will only
> develop from Open Source solutions (just like E), solutions that show the
> way, challenging free thinkers with independent efforts to change the
> equation (c.f. Google Lunar X prize).

Open source seems to have some promise, but I hope we stay open to any
source of solutions.  E.g. Plash is open source but Polaris (and I
guess CapDesk?) are not.  They all provide value in "showing the way"
in my opinion.

> Leaving Computer Security to
> corporations is like living under King George and doing nothing about it. 

Heh.  Spoken like a converted Brit ;-)  I focus on the people - whether
working for corporations or not - and the concepts and technologies.

> Privileged modes and privileged users exist throughout the infrastructure...

I agree that's a problem in many contexts.

> Threats grow on all sides. We need a "Revolutionary" approach to Computer
> Security starting with a Declaration of Independence!

Well...  What 'revolutionary' approach do you have in mind?  I
know one of the knocks on POLA approaches is that they are old
hat, failed approaches.  Been there, done that.  Approaches that
failed in the 1970s and then died out almost completely in the
1980s.  That's of course not how I feel, but that's a common
attitude/perception that I hear.

> I would like to join
> with others and discuss next steps perhaps leading to an On-Line conference.
> Any interest?

I'm interested and happy to help as I can, but I'm also a bit
cautious.  In some ways cap-talk is a running on-line conference
with a focus very much like you seem to be suggesting.

What I consider wonderful about cap-talk is that it's composed of
a group of people who share a significant overlap in some core
beliefs (e.g. POLA).  If those core beliefs can contribute to the
revolution that you're looking for Ken, then write your Declaration
and we'll see how it goes!

What I have found interacting on cap-talk is that what people feel
are good approaches to fixing computer security problems and moving
toward more POLA are all over the map.

For example, just speaking for myself - I:

1.  recently spent some time looking closely at the complaints
(fears, etc.) that people had about POLA and capabilities - e.g.
as in:

"Traditional Capability-Based Systems: an Analysis of Their
Ability to Meet the Trusted Computer Security Evaluation
Criteria":

http://www.webstart.com/jed/papers/P-1935/

I found what I consider to be legitimate concerns.  Mostly
that people felt (and feel) that capability systems have
failed to deliver on an effective "take back"/"do over"
when it comes to granting authority.  While acknowledging
that revocation can work with capabilities, the criticism
is that there is no information environment in which to
interface to revocation.  That is, with an ACL you can
see who putatively has access to what.  If you want to
remove some access, it is right there in front of you.
How do you do that with capabilities?

The above is what prompted me to get started with what
became Horton.  I didn't see why the same sort of
user/information interface for associating object
access with identities ("users") couldn't work in
pure capability systems.  With MarkM leading the way
on the implementation we showed that such a user
interface/mechanism is indeed possible in the Horton
paper and reference implementations.

With that done my next step is to:

2.  Demonstrate a user interface to access control with
the properties that Horton demonstrated.  I'm motivated
at least partly by a wonderful environment that I had
access to at LLNL in the 1970s and 1980s where access
was delegated by a "dup" function in a shared file
system.  "dup" copied a reference (a capability) from
one shared environment (a directory) that I have
access to into another that some other set of users
may have access to.  It's what today would likely
be implemented with a copy and paste.  In those days
we didn't have Horton or really any effective means
of doing revocation.  I'm sure we can do better today,
but that's what I want to demonstrate.

I believe that with people comfortable with the
directed graph nature of the Web these days, such
a copy and paste delegation mechanism (e.g. including
pasting into an email that will then be sent and thus
shared or pasting into a shared Web "page") along
with the Horton facility for viewing who (IDs) has
been delegated which objects along with the ability
to revoke such access will appeal to people.  My dream
is that it will enable a new level of Web development -
a Web with integrated access control (vs. all the varying
kludges that we have today for such access control -
generally not available to users).


The above is my current vision.  As you know MarkM
is a champion of language based POLA - e.g. with
E and Joe-E and with his latest Caja to enable
POLA mashups.

While I'm supportive, I don't see how we can succeed
with the sort of 'revolution' that you speak of until
we can put access control into the hands of the users,
intuitively.  People may disagree about whether
copy and paste of capabilities is intuitive (e.g. I
know David Wagner expressed reservations), but I've
seen it work and am optimistic.

Others have yet other thoughts for best ways to move
forward.  Jonathan Shapiro is still pursuing an OS
level approach along the lines of KeyKOS and EROS.
I saw KeyKOS and NLTSS and a number of other OS based
approaches extinguished along that path and I've seen
the dominance of the user interfaces for Windows and
Unix that I don't believe will be easily displaced.
I'm not hopeful for that approach (even in the narrower
real time OS environment), but I also wish him luck
and am supportive as I can help.

Others have again other approaches for moving 'forward.'

If you could add some cohesion to this well meaning
(and I believe generally well directed) rabble, then
perhaps it could help.  I think (?) that would require
developing some consensus on how to most effective
move forward.  Got some ideas on that from your
lurking on cap-talk?

I'm ready to help as I can.

--Jed  http://www.webstart.com/jed/