[cap-talk] Access Propagation Myth (was: "Access Propagation Fear")

Karp, Alan H alan.karp at hp.com
Fri Mar 21 12:33:43 EDT 2008 

Jed wrote:
> > >
> > > What about the "Access Propagation Fear"?  That was the
> > > terminology used above.  Why not?  Alternatives?
> >
> >I've been calling this the loss of control myth.
>
I use that term because ACL people always ask "But haven't you lost control?" when they hear about easy delegation.  My answer is "It's control you only thought you had." and go on to ask what they do about credential sharing and proxying.  That makes the point that the myth was that they had any control the way they've been doing things.  So, "myth" refers to "control", not "loss of".  That doesn't make it a good phrase, but I thought I'd explain.
>
> The "Access Propagation Myth" regarding capability systems
> is the myth that capability systems are unable to provide
> mechanisms to support policies that limit/manage the
> propagation of object access in communication from one
> process to another.  In fact in capability systems any
> process may be limited to as many or as few channels as
> needed (POLA) for propagation of access, and any desired
> policy can be enforced (POLA) in such access propagation
> channels.
>
The first sentence is fine except for the terms "object access" and "process".  I'd replace them with "rights" and "entity", although I'd like a better word for the latter.  I don't think you need the second sentence in the definition.  The use of the word "myth" suffices.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp



> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Jed Donnelley
> Sent: Friday, March 21, 2008 9:20 AM
> To: General discussions concerning capability systems.
> Subject: [cap-talk] Access Propagation Myth (was: "Access
> Propagation Fear")
>
> At 05:06 PM 3/20/2008, Karp, Alan H wrote:
> >Jed wrote:
> > >
> > > What about the "Access Propagation Fear"?  That was the
> > > terminology used above.  Why not?  Alternatives?
> >
> >I've been calling this the loss of control myth.
>
> Hmmm.  Your use of the "myth" term got me to look back at
> the Capability Myths Demolished paper:
>
> http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf
>
> There they call it the "Confinement Myth".
>
> Using the term "myth" seems fine to me.  However comparing:
>
> 1.  Loss of Control Myth,
>
> 2.  Confinement Myth, and
>
> 3.  Access Propagation Myth
>
> I prefer #3.  I don't like #1 so well because it seems
> so generic.  Loss of control how?  It doesn't seem to
> focus on what most people seem to feel is the issue
> with capability systems - namely that if A has a capability
> then A can send it to B.  "Loose capabilities".
>
> Using the "confinement" term in #2 for me brings to mind
> efforts to limit flow of information as with Lampson's
> "A Note on the Confinement Problem".  While one does need
> to limit information flow to effectively limit access
> propagation via proxy (capability system or no):
>
> http://www.erights.org/elib/capability/conspire.html
> (Toby's and Duncan's mechanism notwithstanding)
>
> to me that focuses attention in the wrong area - not the
> area that people are really concerned with (propagation of
> access to objects) - and doesn't put the best foot forward
> for capability systems, suggesting as it does that a "hard"
> problem (confinement - bringing to mind covert channels
> and the like) must be solved in order to effectively deal
> with access control (which I think most people feel is
> a relatively straight forward problem).
>
> So, here is my statement of this "myth":
>
> The "Access Propagation Myth" regarding capability systems
> is the myth that capability systems are unable to provide
> mechanisms to support policies that limit/manage the
> propagation of object access in communication from one
> process to another.  In fact in capability systems any
> process may be limited to as many or as few channels as
> needed (POLA) for propagation of access, and any desired
> policy can be enforced (POLA) in such access propagation
> channels.
>
> What do people think of the above?
>
> --Jed  http://www.webstart.com/jed-signature.html
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list