[cap-talk] What sustained interest in capabilities

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Wed Jan 7 00:28:47 EST 2009 

Mitsu Hadeishi wrote:
> On Dec 29, 2008, at 6:07 PM, Charles Landau wrote:
> 
>> It sounds like you are saying "security is impossible, so let's not
>> bother trying." The goal is to not add any insecurity to whatever  
>> layer we're starting with.
> 
> Not at all, precisely the opposite.  My point is all systems are  
> essentially layers on top of an insecure foundation, so simply saying  
> that something is a layer isn't in itself a valid critique.

That wasn't the critique. The argument was that the underlying layer
was likely to be too complex and to introduce security weaknesses, if
it is based on ACLs.

> One has to look at the layer itself.
> 
>> You said you "wrap an external ACL-based service in a capability."  
>> If I understand your approach, the service can then be accessed using the
>> capability, but you do not take away the ability of other programs to
>> access the service via its ACL-based interface. After all, if your
>> wrapper is able to access the underlying ACL-based interface,  
>> presumably others can too.
> 
> No, other programs can't access the service via the ACL-based  
> interface unless they breach the security layer.  That is to say, in  
> the systems we're discussing, the only public interface is the  
> security layer.  However, systems "inside" the layer (i.e., behind the  
> firewall, etc.) can of course access the systems via pre-existing ACL- 
> based authentication schemes.

That is *precisely* the kind of thinking that leads to security flaws.
To paraphrase:

 "No other program can bypass the capability layer. Oh, except when
  the program is behind the firewall, but that doesn't count."

A program "behind the firewall" might be any random email virus. This
makes the security entirely dependent on the firewall, which clearly
can't be an effective long-term solution. Basing access checks on
location of the requestor within a network creates unavoidable
security weaknesses.

Even if it is not practical to change all systems behind an existing
firewall boundary to capability systems, it may be possible to do that
for the most critical systems. If those were top-to-bottom systems, then
breaching the firewall would not by itself help an attacker to break
those systems, because the attacker would have no authority to access
them.

> The disconnect here I believe is coming from a different conception of  
> the environment software is running in.  The systems I've been working  
> with recently have been designed in the world of software-as-a-service  
> or SOA style designs.  What you're referring to are ordinary programs  
> running inside an ordinary OS.

I don't see anything in my or Charles Landau's arguments that is dependent
on that.

-- 
David-Sarah Hopwood ⚥

More information about the cap-talk mailing list