[cap-talk] What sustained interest in capabilities

Mon Dec 29 18:07:41 EST 2008

Mitsu Hadeishi wrote:
> Every security approach is ultimately  
> implemented "on top of" an insecure "layer" --- the physical world.   
> The physical world is itself highly insecure in and of itself.  All  
> approaches to security involve creating a layer of some sort of  
> another on top of an insecure layer; it's not possible to completely  
> rewrite the laws of physics, for example, to be "capability secure"  
> --- nor is it necessary.

It sounds like you are saying "security is impossible, so let's not 
bother trying." The goal is to not add any insecurity to whatever layer 
we're starting with.

> A layer is more akin to a wrapper (as in packaging) than it is to a  
> building resting on a foundation.  If the wrapper has a hole in it,  
> yes, there can be a breach in security, but again that applies to  
> every approach to security --- we're always building wrappers of one  
> sort or another, even in a top-to-bottom approach.

You said you "wrap an external ACL-based service in a capability." If I 
understand your approach, the service can then be accessed using the 
capability, but you do not take away the ability of other programs to 
access the service via its ACL-based interface. After all, if your 
wrapper is able to access the underlying ACL-based interface, presumably 
others can too.

In that case, the wrapper metaphor is inapt. You have a layer that makes 
no attempt to completely surround the underlying non-capability-based 
service. It's not a wrapper with a small hole due to some flaw that 
might in principle be plugged.

"Top-to-bottom" is not really the right description of the pure 
capability systems that have been attempted. Those systems enforce 
capability security completely at a single low layer, not at all layers. 
("Pure" means there is no way around it.) Starting with a foundation of 
rock, you can build with either more rock or sand. But starting with a 
foundation of sand, you can never increase the stability of the system.

It appears to me that you're advocating the layered approach to simplify 
the part of the system that uses the capability layer. Your critics are 
saying it does not simplify the entire system and does not increase the 
security of the entire system. I think you are both right.

On the other hand, if you have built a capability layer such that there 
is no way around it, then you have built a pure capability system, and 
congratulations! If the performance and security of such a system meets 
your goals, then great. But you still have the drawback of all pure 
capability systems, that legacy software doesn't work.

A pure capability system can be built on either bare hardware or another 
suitable operating system. But from a security standpoint, I would have 
higher confidence in the security of the less-complex underlying platform.