[cap-talk] A problem in EQ-free grant matcher?

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 19 07:26:59 EST 2008 

Hi Dean,

thanks for commenting. Just to unpack that a bit, and after thinking
about what you've said, I think what has to happen is:

- The GrantMatcher should ensure that all of his unsealers have synergy
with each other, in some way, such that they (or some forwarder for
them) can be "coerced" to a reference to a true authenticated unsealer.

- This sort of synergy+coercion primitive can certainly be built from
plain  object-caps, as has been demonstrated before on this list, so
this certainly doesn't necessitate EQ.

[ see e.g.
http://www.eros-os.org/pipermail/cap-talk/2006-December/006573.html ]


- Each Charity then holds a coercer capability (given by the
GrantMatcher by prior arrangement) that can be used to coerce
potentially untrustworthy unsealers into authenticated sealers.

- Only if the coercion is successful, should a charity invoke an
unsealer.

This would appear to defeat the attack.

Does that sound about right?

On Mon, 2008-02-18 at 11:52 -0800, Dean Tribble wrote:
> I'm heads-down on a deadline at the moment, but will surface later
> this week.  The basic approach is to recursively apply the
> sealer/unsealer techniques to the establishment of synergy in the
> sealers. That may be roughly equivalent to "some sort of synergy
> between the GrantMatcher and every possible charity", though....
> 
> On Feb 18, 2008 4:11 AM, Toby Murray <toby.murray at comlab.ox.ac.uk>
> wrote:
>         Very cool.
>         
>         I modelled this same example in CSP to see whether I could
>         detect this
>         attack. I could, but I also found a simpler one, which is
>         described at
>         the end of this message.
>         
>         The upshot of both attacks is that in order to do Grant
>         Matching without
>         EQ, we need some sort of synergy between the GrantMatcher and
>         every
>         possible charity so that every possible charity can
>         distinguish when it
>         has been passed an unsealer from GrantMatcher or not. Without
>         this, both
>         attacks seem possible.
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list