[cap-talk] What sustained interest in capabilities
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Jan 8 03:45:57 EST 2009
On Wed, 2009-01-07 at 19:30 -0800, David Wagner wrote:
> David Hopwood writes:
> > I don't find that this platitude tells me anything useful about how to
> > design systems.
>
> It's not intended to. What's intended to suggest is that there is not One
> Right Approach to the design of secure systems. The best design usually
> depends upon context and on the requirements. In some settings, a design
> along the lines you sketch may be the best one. In other settings, a
> design along the lines that Mitsu may be the most suitable. That's fine.
I'm having trouble seeing the difference between what Mitsu and
David-Sarah are advocating. Joe-E (a capability-secure "layer" atop
"insecure" Java), Caja (a capability-secure "layer" atop "insecure"
JavaScript), EROS (a "capability-secure" layer above "insecure" machine
interface), E's SafeScope (a "capability-secure" layer above "insecure"
global scope in which <file> etc. are available) all fit Mitsu's
paradigm of adding/replacing a single layer to completely confine the
authority of those things that execute on that layer (modolu
implementation flaws as all security-enforcing code is subject to -- the
recent OpenSSL vulnerability (CVE-2008-5077) indicates just how
difficult it is to eliminate this threat btw).
David-Sarah, could you qualify whether the systems I've mentioned above
fit your paradigm. If so, what is the difference between what you and
Mitsu are adovcating here?
I wonder if you two are not just talking past each other.
Cheers
Toby
More information about the cap-talk
mailing list