[cap-talk] Concening entry "ambient authority" in Wikipedia

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Jun 10 11:39:32 EDT 2009 

Marcus Brinkmann wrote:
> Mark Miller wrote:
>> On Tue, Jun 9, 2009 at 4:25 AM, Marcus
>> Brinkmann<marcus.brinkmann at ruhr-uni-bochum.de> wrote:
>>> So an object-capability system with capabilities that are widely held is not
>>> an object-capability system?
>>
>> If authority bearing capabilities happen to be widely held, you may
>> still have an object-capability system.
>>
>> If authority bearing capabilities are necessarily widely held, i.e.,
>> if A loading and instantiating code B cannot deny such capabilities to
>> B, then you don't have an object-capability system.
> 
> I have a bit of a problem to decide that Unix is not an ocap system simply
> because there was a conscious design choice to have undeniable capabilities
> within the model,

Undeniable authorities. They are not capabilities, nor are they accessed
via capabilities.

> while in real ocap systems the only undeniable capabilities
> are only found outside the model by definition.  Formally, you are right that
> using such definitions there is a difference.  But models fail dramatically to
> capture real world systems, and that may provide you with a false sense of
> security.  At the very least it does not allow you to transfer the reasoning
> over the model to actual implementations of it.  In Unix at least people are
> aware of the compromises they make with regards to those undeniably
> capabilities that are made explicit (well, to some extent).

I disagree; I think that the opposite is more often true. If you attempt to
criticise a system, like Unix or Windows, for not attempting to enforce some
security property because you think it is necessary to achieve typical
users' security requirements, then my experience is that most people will
not even hear what you are trying to say. They get fixated on the fact that
the system didn't attempt to enforce the property, and trying to convey
the idea "yes, and that is why it is broken" is very often like banging
your head against a brick wall.

If you point out a class of attack that was within the scope of what a
system was trying to prevent, but was not modelled, OTOH, then that is
more likely to elicit a response such as "okay, but we don't know how to
fix that". That is much more constructive, and is a step further toward
actually fixing attacks in that class.

> An attacker doesn't care about models, but will attack implementations of it.

They will do that regardless of whether the attack was missed because it
wasn't modelled, or because the system didn't try to prevent it.

> Furthermore, undeniable capabilities are an integral part of the constructor
> design in EROS.  The constructor provides the starting process B with an
> undeniable bag of capabilities.

It chooses which capabilities to provide, so they are not undeniable.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list