[cap-talk] Confused Deputies in Capability Systems - not

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Thu Feb 26 11:46:41 EST 2009 

Sam Mason wrote:
> On Thu, Feb 26, 2009 at 10:28:46AM +0000, David-Sarah Hopwood wrote:
>> Sam Mason wrote:
>>> I've since realized that it's far more
>>> complicated than this and it should be checking that the source file was
>>> readable by the submitting user and the output is going somewhere that's
>>> writable to the submitting user.
>> Even that wouldn't be sufficient:
>>
>>  - the compiler may not be authorized to know the information that
>>    would allow it to perform a correct access check.
>>  - performing access checks at user level introduces race conditions.
>>  - what if the client is itself a deputy? In that case the compiler's
>>    check that the client has the necessary permission would succeed,
>>    even though the access should be denied unless the client's client
>>    also had that permission. Even if (unrealistically) we assume that
>>    the compiler were trusted to perform system-level access checks,
>>    its client certainly will not be.

These are nice theoretical problems, but the purpose of real world examples is
to limit the requirements, not to expand them without bounds.

> Of those I'd only considered the race condition.  There were a couple
> of other cases that I can't remember now, hence why I said "there are
> other"s.
>
> I'm left wondering how anyone has got anything done with any level
> of robustness under IBAC.

Because in real world applications, requirements can often be reduced to a
manageable size.

> It all sort of seems to hang together for
> what's turned out to be the common case on most PCs, but it all seems so
> fragile and even on PCs that's changing fast.  For most server/service
> orientated workloads operating system level IBAC just seems to get in
> the way more often than it helps.  Or am I missing something? or am I
> just starting to understand the cap-talk communities' disbelief that
> IBAC is so popular.

Well, one point you may be missing is that in the real world, 100% correct
behavior is not really all that important.  In fact, it is almost never
defined what that even means.  Instead, people work goal oriented, and don't
care too much about what could have happened instead if things had been
different.  Unless of course disaster strikes.

Thanks,
Marcus

More information about the cap-talk mailing list