[cap-talk] What sustained interest in capabilities

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Jan 8 00:28:34 EST 2009 

Mitsu Hadeishi wrote:
> On Jan 7, 2009, at 9:56 PM, David-Sarah Hopwood wrote:
> 
>> Or, the system that has the capability layer can be accessed at its
>> ACL layer by one of the legacy systems behind the firewall, and that
>> legacy system can potentially be subverted by an attacker.
>>
>> The point is, you can't analyse the system as a capability system
>> while its non-capability interfaces are being used (but if they are
>> not used, then their existance cannot be claimed as a compatibility
>> advantage).
> 
> You can analyze it as a capability system with the caveat that you're  
> analyzing it with the assumption that an attacker has not compromised  
> the layer.

No, that is wrong.

If anyone is using the system by a non-capability interface, even if
they are not an attacker, then the system is not a capability system
and cannot be analysed as one.

>>> In other words, what I am saying is that using capability security
>>> today, now, can be done in practical, usable systems which allows a
>>> huge class of risks to be eliminated.  The point is this is  
>>> *extremely useful*.  It is not that it completely eliminates all risk.
>>> Your argument seems to be that our approach is pointless because there's
>>> still a tiny risk that a virus could get in behind the firewall and
>>> thus go wild in the ACL-world underneath.
>>
>> Please don't misrepresent my argument. I was very clear that my
>> objection was that this approach is insufficient in the long term --
>> not that it is pointless, and not that it doesn't reduce short-term
>> risk.
> 
> What I am suggesting is that the focus on building top-to-bottom  
> systems has made it difficult for capability security to gain traction  
> in the real world, not that one should never build top to bottom  
> systems.

Again, I disagree -- I think that:

 - only a small subset of the capability community ever had a focus on
   building top-to-bottom systems;
 - that subset was actually quite successful in building such systems,
   from a technical point of view;
 - capability systems have failed to become popular for entirely
   different reasons, primarily to do with marketing, bad luck, and
   misconceptions about their security and usability characteristics.

That is, I think that avoiding top-to-bottom systems due to a belief
that such systems are necessarily "unable to gain traction" is learning
the wrong lesson from history.

-- 
David-Sarah Hopwood ⚥

More information about the cap-talk mailing list