[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
Neal H. Walfield
neal at walfield.org
Sat May 31 03:38:49 CDT 2008
At Fri, 30 May 2008 15:59:13 -0700 (PDT),
David Wagner wrote:
>
> Neal Walfield writes:
> >I wonder if something akin to what HiStar [1] does wouldn't be a step
> >in this direction? In HiStar, data is tagged with labels. A label's
> >owner may untaint data with a particular label thereby allowing it to
> >flow from more to less tainted objects in a given category. The
> >result is that one can write a server that handles multiple clients'
> >data but, which is unable to leak data from one client to another.
>
> I'll chime in with my standard caveat about confidentiality and
> information flow: "unable" has to be taken modulo covert channels.
> In other words, in your example the server cannot leak data from one
> client to another through overt channels, but it may be able to leak data
> through covert channels. I'd argue that it's generally not feasible to
> eliminate all covert channels, at least in conventional systems [1].
>
> This means that we can't actually guarantee that the server is unable
> to leak data from one client to another, since covert channels probably
> provide a way for the server to violate our intended security policy
> and leak data from one client to another, if it wants to.
Point taken. I didn't mean to imply something else, I was simply
sloppy. Sorry for the confusion.
Neal
More information about the cap-talk
mailing list