[cap-talk] Terminology for Confused Deputies, rights amplification example

Jonathan S. Shapiro shap at eros-os.com
Thu Feb 7 12:01:29 EST 2008 

On Thu, 2008-02-07 at 08:51 -0800, Charles Landau wrote:
> At 10:11 AM -0500 2/7/08, Jonathan S. Shapiro wrote:
> >In the overwhelming majority of cases, we do not
> >actually know anything about the program the Bob obeys, so we must
> >(conservatively) assume maximally feasible conspiracy.
> 
> This is a considerable overstatement. We know something about all the 
> system-provided programs. For example, CapROS has device driver 
> objects that have the ability to do anything to the computer (for 
> example, DMA onto the kernel code). But I know that they are not 
> intended to have that behavior. The kernel itself is another program 
> that we hopefully know something about.

All of what you say is true, but these are not the types of programs
under consideration in the present discussion, and in any case they form
only a small fraction of the programs that exist in a complete system.

> >In most cases
> >where we DO know the program that Bob obeys, that program will defy
> >analysis (due to limits of formal methods), and we will be forced to
> >fall back on the conspiracy assumption again.
> 
> It would be exceedingly limiting to restrict the discussion to 
> programs that can be formally analyzed. 

I would actually be satisfied with reasonably rigorous human analysis
based on the code obeyed by Bob and the permission environment under
which Bob operates. Anything that does NOT rely on actual knowledge of
Bob's behavior and some reasonably rigorous confidence in that behavior
is either a "what if" exercise or an exercise in wishful thinking,
depending on context. I agree that what-if exercises are good and
useful, but they do not appear to bear on the discussion at hand. I
suspect you know my opinion of wishful thinking in security
discussions. :-)

In the present discussion, Jed has not asserted that we can assume
anything through knowledge of Bob's code. In the absence of such an
assertion, Bob is presumptively conspiring for purposes of understanding
whether separation of authority exists.


shap

More information about the cap-talk mailing list