[cap-talk] What sustained interest in capabilities

Mitsu Hadeishi mitsu at syntheticzero.com
Thu Jan 8 00:51:57 EST 2009 

On Jan 8, 2009, at 12:28 AM, David-Sarah Hopwood wrote:
>> You can analyze it as a capability system with the caveat that you're
>> analyzing it with the assumption that an attacker has not compromised
>> the layer.
>
> No, that is wrong.
>
> If anyone is using the system by a non-capability interface, even if
> they are not an attacker, then the system is not a capability system
> and cannot be analysed as one.

Again, by this logic, no system can be analyzed as a capability  
system, because there is always the possibility of someone violating  
the capability interfaces. For example, suppose someone were to  
physically invade a datacenter and directly compromise the operation  
of the physical CPUs; since such an operation is allowed by the laws  
of physics, by your reasoning, it would mean one could not think about  
the system in capability terms.

Or, to take the example of Joe-E, or Caja, you could also say these  
cannot be analyzed as capability systems because they are currently  
implemented on top of a legacy operating systems, browsers, etc.

Of course these systems can be analyzed as capability systems, within  
the subset of operations allowed by the layer.  One can think about  
intrusions by other systems as a separate case.

> Again, I disagree -- I think that:
>
> - only a small subset of the capability community ever had a focus on
>  building top-to-bottom systems;
> - that subset was actually quite successful in building such systems,
>  from a technical point of view;
> - capability systems have failed to become popular for entirely
>  different reasons, primarily to do with marketing, bad luck, and
>  misconceptions about their security and usability characteristics.
>
> That is, I think that avoiding top-to-bottom systems due to a belief
> that such systems are necessarily "unable to gain traction" is  
> learning
> the wrong lesson from history.

I certainly defer to your superior knowledge of the history of  
capability security.  However, to reiterate my argument, the simple  
notion I am advocating is that web service architecture creates the  
opportunity to implement a layer at the web interface level which is  
capability secure.  This requires less buy-in and infrastructure  
change than, for example, implementing everything in, say, Joe-E (much  
as I like Joe-E).  One can implement the layer in Java, and thereby  
take advantage of Java libraries, etc., while the code running outside  
the layer cannot directly access that level.  This is relatively easy  
to do and would generate enthusiasm for capability security in the  
wider world ... it seems to me that this can only lead, eventually, to  
more use of capability security ideas in language design and  
eventually OS design.

Mitsu
>
>
> -- 
> David-Sarah Hopwood ⚥
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list