[cap-talk] What sustained interest in capabilities

[Sandro Magi]

David-Sarah Hopwood wrote:
> Mitsu Hadeishi wrote:
>> No, other programs can't access the service via the ACL-based  
>> interface unless they breach the security layer.  That is to say, in  
>> the systems we're discussing, the only public interface is the  
>> security layer.  However, systems "inside" the layer (i.e., behind the  
>> firewall, etc.) can of course access the systems via pre-existing ACL- 
>> based authentication schemes.
> 
> That is *precisely* the kind of thinking that leads to security flaws.
> To paraphrase:
> 
>  "No other program can bypass the capability layer. Oh, except when
>   the program is behind the firewall, but that doesn't count."
> 
> A program "behind the firewall" might be any random email virus. This
> makes the security entirely dependent on the firewall, which clearly
> can't be an effective long-term solution. Basing access checks on
> location of the requestor within a network creates unavoidable
> security weaknesses.

I think Mitsu is just trying to say that a capability layer can be used
to reduce the complexity of any programs using it, to the point where we
can be confident in the secure operation of that code alone, modulo the
confidence we have in any components that operate outside the layer.

Those components must be more carefully audited, but I think David is
saying that ultimately, such external components will be too complex
and/or vulnerable for any appreciable level of confidence in the
security of the system as a whole.

Still, as a working programmer, the increase in confidence in the code
that does use the capability layer, presumably by a decrease in
complexity, is sufficient incentive for its use.

Sandro