[cap-talk] Lampson: Principle Of Least Privilege as damaging

Pierre THIERRY nowhere.man at levallois.eu.org
Mon Apr 7 09:17:14 CDT 2008


Scribit Jed Donnelley dies 07/04/2008 hora 01:44:
> Be careful about the name.  We're talking about Butler Lampson, not
> "Lamport" (Leslie?).  Leslie Lamport also works at Microsoft

Crap, I was confused about the names because I'm reading Lamport's
papers about distributed systems. 

>>> ACL systems are to security policies what state machines are to
>>> algorithms: a very limited vocabulary. In this regard, Ocaps truly
>>> are a programming language to express security policies. [...]
> Hmmm.  I'm not sure what you are getting at above.  It seems to me
> that both capabilities and ACLs have rather limited "vocabularies".

In some way, the issue is that ACL are first-order access control with
no means to define, whereas capabilities are higher-order access
control.

In short, no ACL system lets you define new kinds of ACLs in the system.
To do that, you have to modify the system (the TCB). With capabilities,
you can define new kinds of access controls, like the caretaker or the
sealer/unsealer pair, without touching the TCB.

> > with (aptly named) eggshell security you (as the sysop or sysowner)
> > are pwned.
> I'm not sure what that last word ("pwned") is intended as, but its
> probably bad.

Pretty much: http://en.wikipedia.org/wiki/Pwn

Semantically,
Pierre
-- 
nowhere.man at levallois.eu.org
OpenPGP 0xD9D50D8A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20080407/3a58e74b/attachment.bin 


More information about the cap-talk mailing list