[cap-talk] Capabilities giving up control? (was: Re: A paper on web-keys)

Jed Donnelley jed at nersc.gov
Thu Jan 17 20:17:15 EST 2008


On 1/17/2008 3:11 PM, Tyler Close wrote:
> One of the WWW 2008 reviewers of this paper wrote:
> 
> "Capabilities are *always* easier to implement, and the tradeoff is
> *always* about giving up control."
> 
> What is the canonical paper to critique in order to rebut the "giving
> up control" argument? Which paper had so much influence that people
> like the reviewer believe this fiction to the point of using star
> quotes?
> 
> --Tyler

Sorry if I seem to be beating a dead horse here,
but I'm confident this is exactly the "loose
capabilities" fear that I seem to harp on so
much to this list.  The same one that Toby and
Duncan make what seems to me a counter productive
effort to defend against in:

"Non-Delegatable Authorities in Capability Systems"
By Toby Murray and Duncan Grove
(to appear in the Journal of Computer Security)

http://web.comlab.ox.ac.uk/oucl/work/toby.murray/papers/NDA.pdf

The same one that caused the defense community
to turn against capabilities in a series of reports
like IDA Paper P-1935:

TRADITIONAL CAPABILITY-BASED SYSTEMS:
AN ANALYSIS OF THEIR ABILITY TO MEET THE
TRUSTED COMPUTER SECURITY EVALUATION CRITERIA

http://www.webstart.com/jed/papers/P-1935/

and in the Orange book.

Were you at David Wagner's talk at Google?
Same issue with the question there:

http://youtube.com/watch?v=EGX2I31OhBE

at 50m40s (anybody know how to make a URL
to that time mark for youtube?):

The questioner correctly stated about the
Object Capability model (somewhat
anthropomorphically): "If you have a
capability then you can give it to someone
else" (that you have a capability to...)

The questioner then continued in that vein to note:
"That doesn't seem like a good idea.  You might
want to give someone a capability but not give
them the right to pass it on to someone else."

It's the same issue again, and again, and
again.

It is the concern that in the capabilities model
it is understood that any subject with an
authority represented as a capability can
communicate that authority over any available
communication channel (represented as another
capability).  Anybody who sets up such a
situation and is used to an ACL model feels
a loss of control.  "What, I don't have to
change an ACL to allow that authority to be
communicated?  That subject can just
delegate it on its' own across that
channel like that??!?"

I don't know of a "canonical" paper.  I think
this common understanding results from a
whole series of papers and discussion from
that period in the late 1980s and early 1990s.
Since then it has been 'common understanding',
just like Butler's statement that capability
systems will always be the wave of the future.
It's probably even taught that way in universities
these days.  I know I've run into recent graduates
with that firm conviction.


This is exactly the loss of control that
motivated me to discuss and then push on
the development of the Horton mechanism.

Namely:

A.  If a subject that you may be concerned about
has an authority and is *not* suitably confined,
namely it is also able to communicate to other
subjects of concern, then you have already lost
control and you may just not be aware of it:

http://www.erights.org/elib/capability/conspire.html

but:

B.  If a subject that you may be concerned about
has an authority and *is* suitably confined
(namely all communication of concern goes
through a Policy Decision Point like a
Horton tunnel that includes a policy module)
then you can implement whatever policy you
wish in your policy module and you have
as much control as is possible in any
system.


The commonly understood view is exactly that
of your reviewer.  I believe we haven't adequately
disputed this view - even in the Horton paper
that was long on detailed mechanism and short
on earth shaking revelation.

Of course the fact that the object capability
paradigm is wonderful for POLA (need to know)
is generally acknowledged.  It may even be
generally accepted that it is wonderful for
software/responsibility decomposition.  Most
people just feel that way too much is given up
in the way of control.  They feel that they
require (and that ACLs supply) both of these
needs (that seem to me in conflict):

1.  Need to allow subjects (programs)
wide communication flexibility (e.g.
access to the Internet), and

2.  Need to insure that an untrustworthy
program can't delegate it's authority.

I believe people generally don't understand how
inviolate #A is, and how much flexibility is
available in the object capability model with
regard to #B.

I believe that with the object capability model
one can achieve the best of both worlds - the
POLA/'need to know control' and the flexibility
for software/responsibility decomposition along
with any control that is desired - e.g. through
mechanisms like Horton tunnels that can implement
the control policy.  Of course you have to give
up unconfined communication to achieve that
control, but as we've oft noted on this list,
that is inevitable.

As I've noted, if we loose this battle, the
object capability model will continue to
be toast IMO.  This is absolutely the key
issue with regard to this model.  It isn't
going to turn around over night, but we allow
it to languish unchallenged at the peril of
this model.

--Jed



More information about the cap-talk mailing list