[cap-talk] Concening entry "ambient authority" in Wikipedia

[David Wagner]

Marcus Brinkmann wrote:
> OTOH, playing devil's advocate here, I don't think the line that separates
> safe from unsafe operations is completely clear.

I agree with you.  When I hear "safe", mentally I translate that to
something like "conveys authority that is negligible for the purposes
I care about" or "not a major issue for my intended application domain".

I can imagine systems that make ambiently available some minor capability
that is considered unimportant or not a likely threat to the security
of the application domain that system is used in.  One can still do
capability reasoning in such a system; we assume that everyone can get
access to the ambiently available capability, and then reason about all
the rest using standard capability reasoning.

I also agree with you that for some applications, side channels may be
a serious issue.  My view is that capability systems do not help with
confidentiality and availability; they don't make things any worse, but
they don't make things any better, either.  Capabilities are focused at
controlling side effects, and reasoning about integrity properties.  If
confidentiality is really important in your domain, you're going to have
to look to other techniques to address that aspect of your concerns,
because indeed, capabilities are a not a very effective way to reason
about confidentiality concerns.

(By the way, reasoning soundly and modularly about confidentiality
is *really* hard.  I don't know of any general-purpose, useful system
that has a reasonable story here.  Essentially every general-purpose
system allows covert channels.  Covert channels pretty much ruin the
hope of sound reasoning about confidentiality.  There are information-flow
systems that try to reason about confidentiality, but they punt when
it comes to covert channels.  They let you prove theorems that say
something like "this information won't leak across overt channels"
or "this information remains confidential, as long as no one uses any
covert channel", which is depressingly close to "this system remains
secure as long as no one tries to attack it".  So for confidentiality,
we're pretty much stuck with ad-hoc methods of securing systems.)