[cap-talk] delegatable-with-probable-cost capabilities

Jed Donnelley jed at nersc.gov
Tue Jan 29 18:43:15 EST 2008 

On 1/29/2008 1:26 PM, Sandro Magi wrote:
> Ross McGinnis wrote:
>> Examples of Access Control List: swanky member only
>> clubs that control access with patron list, etc.
>> None of these examples can ever be re-modelled
>> usefully by Object Caps because of the fact that
>> the objects are not exchanged/accessed over confined
>> networks.
> 
> I think that's reaching.

Hmmm.  I hope what Ross is emphasizing is the possibility
of physical access for authentication.  For example, in
the case of the patron list, it would be possible in
principle to do the checking with biometrics.  This
aspect of things can't be done across a network (so
far as I know.  Even remoting of the biometric
data is just a sort of crypto/password).  However,
the fact that he later emphasized "confined" networks
also puzzles me.

> Just about any of these systems can be modeled in
> any of the others, a sort of "Turing Tarpit" of
> access control if you will (see Jed Donnelley's
> "Managing Domains" paper for an example of building
> caps on top of ACLs).

Heh.  I thank you kindly for the reference:

J. E. Donnelley, Managing Domains in a Network Operating
System, Proceedings of Local Networks and Distributed
Office Systems Conference, London, May 1981, pp. 345-361.

http://www.webstart.com/jed/papers/Managing-Domains/

However, I believe that in the case of confined subjects
(never mind networks, more difficult to achieve) we can
do a bit better than:

> Ultimately, the only differences are what types of
> interaction they encourage and discourage, and what
> program/system properties emerge as a result.

I believe that in the case of confined subjects (leaving
out covert channels) we can enforce what amounts to
"Mandatory Access Control"s (still monitoring MarkM?).
Even something as simple as a subject (active object/
process) whose only permissions (access to the outside
world) are via something like Horton tunnels seems to
me to effectively have a 'mandatory' access control
policy applied.

It occurs to me in this regard that this could be a
more effective approach to achieving non-delegatability.
Even non-delegatability is a property that could be
enforced (or supported for VOC in the unconfined
case) in a Horton tunnel - though when it might be
wise to do so is another question.

Regarding:

> The unconfined network in your example can be
> modeled as a single shared object in an object cap system.

I agree that this is an important point:

> In reality, there are confined networks of many kinds.

Consider, for example, two E systems separated by a vat
mechanism.  The only way to communicate a descriptor
capability between them is through the vat mechanism.
Anything else becomes another sort of proxying - which
of course is what the vat mechanism basically is.  So,
for example, a subject (active object/process) that might
only have communication to the outside world through
some Horton tunnels (vat'ted or not) but that also happens
to have a capability allowing direct communication on
a network (e.g. TCP) can only share it's capabilities
by proxying.  It must itself assume the burden of
serializing its capabilities for sharing - exactly
what Toby and Duncan use their NDA mechanism to
achieve.

However, I don't understand this example:

> For example, a password cap defined in one nation may not
> be usable outside of its borders.

Why would the above be the case?  A password cap as I
understand it is just data that will authorize service
if presented to the server.  Are you suggesting that
the server would check something like the IP address
and decide which were "nation"al and which not?  I
don't understand how a password cap would otherwise
not be honored just because the invocation happened
to initiate from outside the "nation."  Perhaps
I'm just not understanding.

> Object caps are useful  for both confined and unconfined/shared
> object reasoning,  as the shared channels are observable by
> inspection.  That  seems to produce more useful information
> when trying to  reason about systems than simply assuming
> unconfined  communication.

As long as communication is really only available through
the object caps.  For example, I don't know how Polaris
or Plash block network communication, but it is an issue
with regard to the above suggested usefulness of
object cap systems.  To provide this value all
communication must really be through object caps,
which of course clarifies the role of covert
channels.  Direct TCP communication from a Polaris
or Plash process would effectively be a covert channel
(sorry if I inappropriately malign Polaris and Plash).

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list