[cap-talk] Access Propagation Myth (was: "Access Propagation Fear")
Jed Donnelley
capability at webstart.com
Fri Mar 21 12:19:49 EDT 2008
At 05:06 PM 3/20/2008, Karp, Alan H wrote:
>Jed wrote:
> >
> > What about the "Access Propagation Fear"? That was the
> > terminology used above. Why not? Alternatives?
>
>I've been calling this the loss of control myth.
Hmmm. Your use of the "myth" term got me to look back at
the Capability Myths Demolished paper:
http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf
There they call it the "Confinement Myth".
Using the term "myth" seems fine to me. However comparing:
1. Loss of Control Myth,
2. Confinement Myth, and
3. Access Propagation Myth
I prefer #3. I don't like #1 so well because it seems
so generic. Loss of control how? It doesn't seem to
focus on what most people seem to feel is the issue
with capability systems - namely that if A has a capability
then A can send it to B. "Loose capabilities".
Using the "confinement" term in #2 for me brings to mind
efforts to limit flow of information as with Lampson's
"A Note on the Confinement Problem". While one does need
to limit information flow to effectively limit access
propagation via proxy (capability system or no):
http://www.erights.org/elib/capability/conspire.html
(Toby's and Duncan's mechanism notwithstanding)
to me that focuses attention in the wrong area - not the
area that people are really concerned with (propagation of
access to objects) - and doesn't put the best foot forward
for capability systems, suggesting as it does that a "hard"
problem (confinement - bringing to mind covert channels
and the like) must be solved in order to effectively deal
with access control (which I think most people feel is
a relatively straight forward problem).
So, here is my statement of this "myth":
The "Access Propagation Myth" regarding capability systems
is the myth that capability systems are unable to provide
mechanisms to support policies that limit/manage the
propagation of object access in communication from one
process to another. In fact in capability systems any
process may be limited to as many or as few channels as
needed (POLA) for propagation of access, and any desired
policy can be enforced (POLA) in such access propagation
channels.
What do people think of the above?
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list