[cap-talk] Horton vs. ACLs - private namespaces and the Audit Problem
Jed Donnelley
jed at nersc.gov
Thu Oct 11 13:45:59 EDT 2007
On 10/11/2007 9:03 AM, Karp, Alan H wrote:
> Jed Donnelley wrote:
>> Hmmm. While this thread was interesting to read, I believe
>> it is orthogonal to the approach that we suggest in the
>> Horton paper.
>
> It is indeed because this discussion isn't about Horton. It's about the
> value of logging all capability transfers between objects in a language
> based system. MarkM asked for a concrete example of where such low
> level events might be of interest, so I gave him one.
I understood that. What I was, perhaps ineffectively, trying
to point out is that with regard to:
On 10/11/2007 9:20 AM, Karp, Alan H wrote:
> Jed wrote:
>> 1. One of those labeled as responsible
>> acts irresponsibly
>
> And
>> 2. From some failure of trusted software
>> appropriately used with POLA
>
> I was thinking of something much more mundane in which the capability to
> the file was transferred legitimately to enable Alan to do his job.
> That made him an insider and selling stock during the quiet period a
> crime. Should he forget the restriction, as he is wont to do, and sell
> stock, he will be caught by the audit.
Horton provides an alternative mechanism that doesn't require such
low level logging of capability transfers. If the capability was
legitimately transferred to Alan with Horton, then Alan would
be listed as responsible and his access to the data would be
logged in such a way as to make low level logs of capability
transfers unnecessary.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list