[cap-talk] Confused Deputies arising from object capabilities
Mark Miller
erights at gmail.com
Sun Feb 3 13:29:05 EST 2008
On Feb 3, 2008 9:48 AM, Jed Donnelley <capability at webstart.com> wrote:
> While such policies might be natural for a Horton
> implementation, to me this is a somewhat surprising
> and disappointing result.
Hypothesis: The Horton PDP mechanism should be engaged only
reactively, when we find that our proactive policies were too
permissive and we want to stem the damage. In these circumstances,
blunt instruments are often fine. To use Ping's analogy: While we'd
normally like to (proactively) build fire resistant machines and
buildings, we also must anticipate the need to (reactively) fight
fires. When fighting a fire, we accept the risk that books will also
get wet -- a firehose is not for delicate surgery. Likewise, if the
Horton PDP is used only in emergencies, both of the following
"problems" with Horton should be considered acceptable:
* If the Horton PDP shuts off access non-transitively, there may
remain some confused deputy dangers during this emergency. (The
firehose doesn't put out every flame immediately.)
* If the Horton PDP shuts off access transitively, some legitimate
accesses may be denied. (The firehose ruins some books.)
In answer to your previous question, Horton is not a hybrid system.
Alan's ACL proposal is. However, I am now increasingly confused about
the difference between the two. If Alan's extra check is used only
reactively, in emergencies, then everything I say above applies to it
as well. Perhaps Horton is way to faithfully model, in pure ocap
terms, the access control properties of hybrid capability systems?
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list