[cap-talk] "ACLs don't" paper rejected from Oakland 09

Fri Jan 30 11:13:30 EST 2009

On Fri, Jan 30, 2009 at 1:16 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> On Thu, 2009-01-29 at 12:19 -0800, Tyler Close wrote:
>> On Thu, Jan 29, 2009 at 11:53 AM, David Wagner <daw at cs.berkeley.edu> wrote:
>> > I would say that the Oakland conference does not exist to educate the
>> > world.  Just because something is not widely known is not sufficient
>> > reason for publication in Oakland.
>>
>> What existing papers could people read and come away with the same
>> level of understanding they get from "ACLs don't"?
>
> I think David has nailed it. "Understanding" is hard to evaluate because
> there is nothing tangible (no "work") other than pure ideas. It's much
> easier for a reviewer to ask "What work was carried out here?", then "Is
> it novel?", "Is it interesting?" and "Is it well-presented?". Answering
> these questions for ideas only is much harder, hence an ideas-only paper
> will always be much harder to get accepted.

I think of what I did in "ACLs don't" more as evaluation than ideas,
but skipping that for now, I think this raises an interesting issue.

If it is true that it is hard to publish a paper that only evaluates
existing mechanisms, rather than proposing new mechanisms, that would
go a long way towards explaining why poor mechanisms survive and
thrive for so long in this field once they take hold. Once a mechanism
has been published, it is effectively beyond reproach.

It certainly seems like this is the case with ACLs. For example, ACLs
arrived along with the claim that the access matrix was the "one true
model of access control", meaning ACLs and capabilities were
semantically equivalent. Now, I would have thought that in order to
make a claim that two algorithms are equivalent, you'd have to provide
some proof that their outputs are also always equivalent. No such
proof was ever attempted or demanded for the access matrix claim. As
I've shown in "ACLs don't", the outputs are not equivalent and so the
equivalence claim is ridiculous (AFAIK, no other paper has ever put
these two things together). And I really mean 'ridiculous'. If one of
the claims about a mechanism is so blatantly erroneous, and yet
survives for so long, it is a strong indication that the mechanism
itself, and its other claims, have never been subjected to serious
evaluation. In "ACLs don't", I've done such an evaluation and
persuasively shown that none of the claimed features of ACLs are
actually implemented, in anything other than the trivial case of two
party interactions. But there's no place for such evaluation in
computer security. So we go on, for decade after decade, continuing to
build on top of a model that doesn't actually work. And we will never
document that any of the things built on this model also don't
actually work. Instead we will continue with the status quo of
computer security being a failed field, in terms of positive effect on
computing.

--Tyler