[cap-talk] What sustained interest in capabilities

Mitsu Hadeishi mitsu at syntheticzero.com
Wed Jan 7 22:14:01 EST 2009 

On Jan 7, 2009, at 9:56 PM, David-Sarah Hopwood wrote:

> Mitsu Hadeishi wrote:
>>>> All security approaches, whether capability-based or ACL-based, are
>>>> implemented at some layer of abstraction above another, chaotic,  
>>>> and
>>>> highly insecure layer.
>>>
>>> It can be insecure, but it had better not be chaotic.
>>
>> This is incorrect for fundamental reasons.  The layer itself can
>> provide the order needed.
>
> It had better not be chaotic, because chaotic behaviour in the  
> underlying
> physical machine is supposed to already have been abstracted away by  
> the
> digital logic layer (except with negligable failure probability). If  
> it
> hasn't been, then some lower layer has been very badly misdesigned.

The "digital logic layer" IS a layer, is my point.  The underlying  
layer (physics) is inherently chaotic.  This is why your argument is  
incorrect in principle.  Note: I was a physics major in college so I'm  
thinking of things in fundamental (physical, theoretical) terms, not  
assuming the von Neumann machine exists a priori.

>>>
>> You're missing the point I am trying to make.  Modifying a layer to  
>> be
>> more secure is the same thing --- there's still an underlying layer.
>
> You said that every approach to simplifying complexity involves
> *writing* a layer. I repeat, that is not true.

What I should have said is "writing or editing" a layer --- that is to  
say, there are always layers in the design somewhere, even if it's  
simply in the digital logic layer as you put it.

> Or, the system that has the capability layer can be accessed at its
> ACL layer by one of the legacy systems behind the firewall, and that
> legacy system can potentially be subverted by an attacker.
>
> The point is, you can't analyse the system as a capability system
> while its non-capability interfaces are being used (but if they are
> not used, then their existance cannot be claimed as a compatibility
> advantage).

You can analyze it as a capability system with the caveat that you're  
analyzing it with the assumption that an attacker has not compromised  
the layer.  This, it turns out, is exceptionally useful, as I keep  
saying, even if the assumption is not 100% correct.

>> In other words, what I am saying is that using capability security
>> today, now, can be done in practical, usable systems which allows a
>> huge class of risks to be eliminated.  The point is this is  
>> *extremely
>> useful*.  It is not that it completely eliminates all risk.  Your
>> argument seems to be that our approach is pointless because there's
>> still a tiny risk that a virus could get in behind the firewall and
>> thus go wild in the ACL-world underneath.
>
> Please don't misrepresent my argument. I was very clear that my
> objection was that this approach is insufficient in the long term --
> not that it is pointless, and not that it doesn't reduce short-term
> risk.

What I am suggesting is that the focus on building top-to-bottom  
systems has made it difficult for capability security to gain traction  
in the real world, not that one should never build top to bottom  
systems.  However --- I do believe you are grossly underestimating the  
risk being reduced by the design we are suggesting.  I will address  
this in another email.

Mitsu

>
>
> -- 
> David-Sarah Hopwood ⚥
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list