[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Jonathan S. Shapiro shap at eros-os.com
Tue Feb 5 21:31:21 EST 2008 

On Tue, 2008-02-05 at 22:31 +0000, Toby Murray wrote:
> On Tue, 2008-02-05 at 11:10 -0500, Jonathan S. Shapiro wrote:
> > Authority is an emergent property. It is, in effect, all of the
> > operations that might be induced to occur (effected) in the system by
> > proceeding from a given configuration.
> 
> If we restrict our attention to "all of the operations thatmight be
> induced to occur by the actions of a particular entity proceeding from a
> given configuration" then we can define the authority that the entity
> possesses in this particular configuration.

I think that it is not so simple as that, because those operations need
to include the operations of downstream entities that are invoked
consequentially. Some definition along these lines might be made to
work, but this doesn't seem to be it yet.

> >  In consequence, authority does
> > not grow, and we cannot sensibly speak about "getting more authority" as
> > the result of an action that is (at some point) permitted when
> > proceeding from a given state.
> 
> I see your point. But we can measure the difference between the
> authority that an entity has when it can, and cannot, perform a
> particular action.

Yes. I think this is another way of saying that we can partition the
universe of future states into the set in which some class of actions of
interest did or did not occur.

>  In this way, we may quantify the authority that the
> entity may wield through performing a particular action. If this action
> is possible only because the entity possesses a particular capability,
> then we may quantify part of the authority granted to the entity by this
> particular capability. If we repeat this process for all of the
> different actions allowed by a particular capability, then we may
> quantify the authority that this capability grants to a particular
> entity.

That seems plausible, but I am concerned that this may be one of those
places where there is a subtle modeling problem. In particular, we need
to consider two cases in which subject S0 performs some operation O:

  1. The case in which S0 is, in some sense, the initiator of O
  2. The case in which S0 performed operation O in response to some
     invocation made on S0 by a third party.

The tricky part here is that if we prohibit O altogether, we may cause
other subjects to fail in various ways because we eliminated type [2]
invocations, and this will alter the entire multiverse of authority.

I am not sure how to proceed here. I simply raise the issue. Offhand,
the issue seems to imply a need to define some sense of "intent" -- at
least for some forms of analysis. That strikes me as a potentially
sticky wicket. Possible in some cases, but frought with opportunities
for erroneous models.

> Untrusted entities (those whose
> behaviour we know nothing or little about) should be approximated so as
> to exhibit all legal behaviours given the initial conditions of the
> system. In this way, we can get a conservative bounds on the authority
> of different entities within the system.

I believe that by "legal" you mean "all actions that are possible given
the permission state that exists at the time of the action". Not to be
confused with "all actions that were considered right and proper at the
time of the action."

> I got approval today from the department to officially spend the
> rest of my doctorate on this stuff so I better know what I'm talking
> about...

Congratulations!

> > 
> >   2. Under this definition of authority, the closest I think we can come
> >      to speaking about "getting more authority" is inducing a partition
> >      on the universe of future computational states, one subset being
> >      the future states in which the action that "got more authority"
> >      never occurred.
> 
> I think this corresponds to what I said above about measuring the
> difference between a subject's authority when it may, and may not,
> perform a particular action. Let me know if I've misinterpreted you here
> though.

We seem to be converging. Did my comments above address this point?

> > I am assuming that ANY process is either modeled or must be presumed to
> > conspire. In this sense, it is worse than a proxy (as you defined it)
> > because it can be requested to combine capabilities on behalf of the
> > client.
> 
> Good point. The service may also combine capabilities passed to it with
> ones that it already possesses but the client does not.

Precisely. Because of this, if we must resort to informal labels, I
think it is better to refer to such a process as a "conspirator". The
label "proxy" implies a process that is attempting to execute the
client's will in a fairly direct way. This leads one into intuitions
that assume predictable behavior of a sort that doesn't seem right for
this type of model.


shap

More information about the cap-talk mailing list