[cap-talk] P-1935 - on old truth and loss of control
Jed Donnelley
jed at nersc.gov
Fri Feb 1 18:58:48 EST 2008
cap-talk,
I have posted a combined PDF file for the scan I
did of P-1935:
TRADITIONAL CAPABILITY-BASED SYSTEMS:
AN ANALYSIS OF THEIR ABILITY TO MEET THE
TRUSTED COMPUTER SECURITY EVALUATION CRITERIA
which is now at:
http://www.webstart.com/jed/papers/P-1935/P-1935.pdf
It is 65MB.
I looked through and found some minor problems
with the scan. It appears that there is a
duplicate of page 31 in place of page 32.
Also some page numbers are missing:
vi, x, 2, 64, and 72.
I believe these are all blank pages, but
I should substitute "this page intentionally
blank" pages as is the usual practice.
I'll see if I can correct these hopefully
minor problems over the weekend. The
final file will be at the above location.
I may remove the pieces to save space.
Let me say something about this P-1935
publication.
I believe it is clear that this document
is the scholarly basis of the concerns
about "loss of control" in capability
systems. The 'Rainbow' Orange Book
publication:
http://www.fas.org/irp/nsa/rainbow/tg003.htm
(from: http://www.fas.org/irp/nsa/rainbow.htm )
I believe to be the 'official' high level
government view on computer security
circa 1987. Consider:
__________________________
Patrick R. Gallagher, Jr. 30 September 1987
Director
National Computer Security Center
ACKNOWLEDGEMENTS
Special recognition and acknowledgement for their contributions to this
document are extended to the following:
Carole S. Jordan, National Computer Security Center (NCSC), as primary author
and preparer of this document. Dr. Deborah Downs, the Aerospace Corporation,
who prepared an in-depth technical report on DAC mechanisms that became the
major input to this document. Grant Wagner and Steve LaFountain, NCSC, who
contributed their technical expertise and assistance throughout this effort.
Dr. Dixie B. Baker, the Aerospace Corporation, who meticulously reviewed the
document and suggested many changes.
Special thanks are extended to the many computer vendor representatives who
enthusiastically gave of their time and technical expertise in reviewing the
material and providing valuable comments and suggested changes. Among the
vendor representatives who were so helpful were: Steven B. Lipner, Digital
Equipment Corp., Dr. Roger Schell, Gemini Computers, Earl Boebert, Honeywell,
Inc., and C.T. Bougas, Harris Corporation.
__________________________
However, when it comes to the technical content as in
the Orange Book:
http://www.fas.org/irp/nsa/rainbow/tg003.htm
where it specifically criticizes capability
architectures as:
"...in order to pass the class
C2 and above DAC requirements, the ability for users to pass capabilities to
other users must be sufficiently controlled. There could be some design
difficulties in building capability-based mechanisms to satisfy the B3 DAC
requirement because of difficulty in implementing precisely defined groups
[11]. Also, at class B3 it is required that users be able to specify a list
of users that have permission (or do not have permission) to access each
object. Capability-based systems are row-based mechanisms and do not easily
lend themselves to this function. Deletion of an object from the system and
revocation of access present yet another problem. The problem is that
row-based systems do not provide an efficient means of determining which users
have access to a given object."
it refers to [11] which is P-1935. P-1935
is THE scholarly and comprehensive work on
inadequacies in capability systems - even to
this day I believe.
The Orange Book is a summary, but P-1935 is
the meat. I am interested to hear other views
on this. I find no other source.
With regard to P-1935 itself, I would say
that it is an extensively researched and
very scholarly work. There are some 15
pages of references in just the capability
section alone (might be useful for our
'gathering' work?).
If you dismiss concerns about "lack of control"
in capability systems without reading P-1935,
I believe you do so from a position of ignorance.
I find P-1935 difficult to read. But then I
also find all of your technical writing difficult
to read (without qualification). We all come
at these things with different mental models
and from different directions. Difficult
reading is par for the course
In this case though, there is just this one
document.
I went through an extensive criticism of P-1935
starting:
http://www.eros-os.org/pipermail/cap-talk/2006-November/005815.html
I just went back through that thread. From my
perspective the discussion was rather superficial.
I see no evidence that anybody except David
Hopwood and Johathan Shapiro even read substantial
parts of P-1935.
From my perspective, while I agree the P-1935 writing
was overly detailed and convoluted, the essential
truth that these authors were struggling with
is that capability systems had not then and I
argue have not now ever provided the sorts of
simple controls that most security people find
so essential for their work:
1. Logs for auditing (who accessed what and when, who delegated
what, when, and to whom),
2. Enforcement of policy (specifically for access control),
and a
3. User/administrator interface for managing access control
(remove A's access to B, grant C's access to D).
For me the above is the painfully extracted 'truth'
that I got from P-1935.
Certainly one gets additional value with capability
systems - POLA. POLA is terrific! I very much
want to achieve it. However, at the cost of
the "lack of control"? Even I don't believe that
cost is worth the gain. I am unpersuaded by
discussions of communicating conspirators, even
though I recognize the essential truth of
the their ability to communicate authority.
For me Alan's VOC (where confinement is not
complete) and what to me is MAC (where
confinement is complete) provide effective
controls of the above sort (1-3) even in
the face of possible communicating conspirators.
For me the answer was Horton. I believe the
inherent flexibility of the object capability
interface (the insertion property and the
protection of each end of a communication
channel from the other) provide the means
to put the desired control into object
capability systems. For my perspective
we just need to get on with it.
So, when Tyler asks:
On Thu, 2008-01-17 at 15:11 -0800, Tyler Close wrote:
> > One of the WWW 2008 reviewers of this paper wrote:
> >
> > "Capabilities are *always* easier to implement, and the tradeoff is
> > *always* about giving up control."
> >
> > What is the canonical paper to critique in order to rebut the "giving
> > up control" argument? Which paper had so much influence that people
> > like the reviewer believe this fiction to the point of using star
> > quotes?
I believe that paper is P-1935 and no other. Until
he has read P-1935 and answered the concerns there
about "giving up control" by showing how his system
provides the relevant controls (1-3 above in
my estimation) then I believe he is in no position
to dispute the opinion of the reviewer. Once he
has done so, then I believe he is in a strong
position to refute the reviewer. What other
reference can the reviewer provide regarding
"giving up control"?
I noticed in that old (heh) thread this argument:
At 02:37 PM 11/4/2006, Valerio Bellizzomi wrote:
> But this is an old paper, I believe the "traditional" capability-based
> system they talk of are also old, it is possible that the *new*
> "traditional" capability-based systems are different from the old ones.
which seems to be oft repeated by others (e.g. JonathanS),
that such "old" arguments are irrelevant. There may be
new and better truths, but any truth that was in
such "old" documents is truth today. I believe there
is an essential truth in that document that is just
as true today as it was then. Until we supply the
control that is lacking in capability systems we
will rightfully have them blocked and resisted
at every step.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list