[cap-talk] Avoid overconfidence (was: Any hope in RSA 2008?)

Mark Miller erights at gmail.com
Sat Apr 5 10:44:27 CDT 2008

On Sat, Apr 5, 2008 at 8:00 AM, Mark Miller <erights at gmail.com> wrote:
>  Bottom line: Capabilities today can make a system's security much more
>  robust against its own bugs.

To expand a bit:

In the DarpaBrowser exercise, many of the holes that Wagner & Tribble
found, even in security-enforcing modules, were unexploitable because
these modules had so little authority available for abuse. This is
empirical evidence for the POLA -> working ship compartments analogy.
However, they did find some holes they were able to drive a truck
through, and did. I think the Waterken review was similar, but someone
else will need to speak to this more definitively.

The bug Eric Northup found in the KeyKOS kernel design was also
essentially unexploitable, even though the KeyKOS kernel is not
internally a capability system.

IIRC, the undetected bugs Wagner & PIng inserted into PVote were
availability bugs, not integrity bugs. Availabiity and confidentiality
are so much harder than integrity that I have essentially written them
off in my own work. Achieving robust integrity is already hard enough
to eat several careers. It is both an easier target, and an adequate
one for many applications.

We also need to remember that we're enumerating a very small number of
cases here. We should avoiding drawing too many conclusions from such
a small sample size.

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list