[cap-talk] Chains of delegation in IBAC vs capability systems (was: Confused Deputies in Capability Systems - not)

[David-Sarah Hopwood]

Marcus Brinkmann wrote:
> Bill Frantz wrote:
>> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Thursday, February 26, 2009 wrote:
>>
>>> Instead, in a Unix implementation the compile should use suid/sgid mechanism
>>> and access() to check user-supplied filenames.  That is a robust mechanism to
>>> solve this problem that is provided by the operating system exactly for this
>>> use case.
>>
>> Does this technique work in David-Sarah's example, where the client is
>> itself a deputy? Quoting:
>>
>>> - what if the client is itself a deputy? In that case the compiler's
>>>   check that the client has the necessary permission would succeed,
>>>   even though the access should be denied unless the client's client
>>>   also had that permission. Even if (unrealistically) we assume that
>>>   the compiler were trusted to perform system-level access checks,
>>>   its client certainly will not be.
> 
> No, but that has nothing to do with the compiler billing example as stated.

Capability systems do solve the general problem involving arbitrary chains
of delegation, with no increase in incidental complexity. As Bill points
out, this is a common real-world situation; especially when protection
domains are fine-grained. So it is certainly reasonable to ask how
well IBAC systems handle the more general problem, and to criticise them
if they can't, or can do so only at much greater complexity cost or
under unrealistic assumptions.

-- 
David-Sarah Hopwood ⚥