[cap-talk] Documentation and the "Access Propagation Fear"
Bill Frantz
frantz at pwpconsult.com
Thu Mar 20 22:35:19 EDT 2008
david.hopwood at industrial-designers.co.uk (David-Sarah Hopwood) on Friday, March 21, 2008 wrote:
>Jed Donnelley wrote:
>> http://www.cs.utah.edu/flux/papers/micro/node4.html
>>
>> with this:
>>
>> "Though popular, capability mechanisms are poorly suited to
>> providing policy flexibility, because they allow the holder
>> of a capability to control the direct propagation of that
>> capability, whereas a critical requirement for supporting
>> security policies is the ability to control the propagation
>> of access rights in accordance with the policy. The enhancements
>> introduced by Hydra
>
>This is probably referring to 'EnvRts' [*] (which is useless as
>a security mechanism, and interferes with delegation)...
>
> > and KeyKOS
>
>but I have no idea what this is referring to. Anyone know?
Probably KeySAFE[1] which was a system designed for MLS security.
>> are intended to limit such
>> propagation, but the resulting systems still generally only
>> support the specific policies they were designed to satisfy,
>> at the cost of significant complexity that diminishes the
>> attraction of the capability model in the first place."
I would hope that any security system supports the specific
policies it is designed to satisfy.
I am not sure that KeyKOS with KeySAFE is significantly more
complex than the trusted computing base of say, SE Linux.
[1]<http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/keysafe/Keysafe.html>
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos, CA 95032
More information about the cap-talk
mailing list