[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
David Wagner
daw at cs.berkeley.edu
Fri May 30 17:59:13 CDT 2008
Neal Walfield writes:
>I wonder if something akin to what HiStar [1] does wouldn't be a step
>in this direction? In HiStar, data is tagged with labels. A label's
>owner may untaint data with a particular label thereby allowing it to
>flow from more to less tainted objects in a given category. The
>result is that one can write a server that handles multiple clients'
>data but, which is unable to leak data from one client to another.
I'll chime in with my standard caveat about confidentiality and
information flow: "unable" has to be taken modulo covert channels.
In other words, in your example the server cannot leak data from one
client to another through overt channels, but it may be able to leak data
through covert channels. I'd argue that it's generally not feasible to
eliminate all covert channels, at least in conventional systems [1].
This means that we can't actually guarantee that the server is unable
to leak data from one client to another, since covert channels probably
provide a way for the server to violate our intended security policy
and leak data from one client to another, if it wants to.
[1] e.g., in any system that statistically multiplexes access to shared
resources (such as the CPU). Most general-purpose operating systems,
including HiStar, fall into this category.
More information about the cap-talk
mailing list