[cap-talk] Documentation and the "Access Propagation Fear" (was: Re: Object-Capability Patterns)
Jed Donnelley
jed at nersc.gov
Thu Mar 20 20:00:39 EDT 2008
On 3/20/2008 3:35 PM, Raoul Duke wrote:
> as a clueless newbie, this wiki project is very exciting as a resource
> for trying to learn up. thanks to everyone who is contributing.
>
> sincerely.
One thing the above suggests is that it would be good if
we could provide some introductory material that either:
1. Points at some of the non-wiki material that has
been available for years, or
2. Copies some of that pre-wiki material into a
wiki like the erights wiki for such access.
I'm thinking about material like:
http://www.eros-os.org/essays/capintro.html
http://www.cap-lore.com/CapTheory/KK/OperatingSystems.html
http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html
...
While this documentation work is sometimes discouraging
(seemingly never ending), I do think we're making progress.
On the other hand ... here's one I hadn't run into before
(Googling):
http://www.cs.utah.edu/flux/papers/micro/node4.html
with this:
"Though popular, capability mechanisms are poorly suited to
providing policy flexibility, because they allow the holder
of a capability to control the direct propagation of that
capability, whereas a critical requirement for supporting
security policies is the ability to control the propagation
of access rights in accordance with the policy. The enhancements
introduced by Hydra and KeyKOS are intended to limit such
propagation, but the resulting systems still generally only
support the specific policies they were designed to satisfy,
at the cost of significant complexity that diminishes the
attraction of the capability model in the first place."
Ah, I guess that the above comes from Stephen D. Smalley
of SELinux fame makes some sense. Sigh.
I'm not sure which aspect of the above I disagree with
more, that:
A. Capability mechanisms are popular, or that
B. Capability mechanisms are poorly suited to providing
policy flexibility <e.g. Horton Policy Decision Points>.
Of course I know I'm just repeating myself when I note that
the above, no "propagation" control, is exactly the "loose
capabilities" fear that I harp on so much, and that again
ties into the "Cooperating Conspirators" 'problem'".
Do we have an agreed upon name that we can use to refer
to the above fear - if only so we can combat it better??
'Cooperating conspirators' isn't adequate as it is too
clear about the framing - which those with the fear clearly
are not.
What about the "Access Propagation Fear"? That was the
terminology used above. Why not? Alternatives?
I like this idea from Thomas Friedman:
"In the world of ideas, to name something is to own it."
(from: http://www.nytimes.com/2007/04/15/magazine/15green.t.html )
Heh. At least with capabilities a program can only
propagate access where it can communicate. With ACLs
a program can propagate owned access where it can't
communicate...
Oh well, we just keep doing the best we can. I'll see
what I can do about getting at least some of what I've
written into suitable wiki content or links. I hope others
don't begrudge me working on my own writing first ;-)
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list