[cap-talk] Security by safe language processing

Jed Donnelley capability at webstart.com
Tue Sep 8 01:12:21 PDT 2009 

At 05:04 PM 9/6/2009, you wrote:
>Seems like with all this talk of security and compilers, it's time to
>bring up Ken Thompson's paper:
>
>http://cm.bell-labs.com/who/ken/trust.html

Nice paper.  Elegant and to the point.  Interesting guy that Roger 
Shell.  I don't recognize the name P.A. Karger.  The paper that is 
referred to is:

Paul A. Karger, Roger R. Schell, 
<http://csrc.nist.gov/publications/history/karg74.pdf>Multics 
Security Evaluation: Vulnerability Analysis (Air Force Electronic 
Systems Division, 1974) describes the classic attacks on Multics 
security by a "<http://en.wikipedia.org/wiki/Tiger_team>tiger team".

I know I read the above paper, but I'm sorry to say I don't remember 
the main concept from your Thompson reference previously from either source.

Perhaps now would be a good time to read:

Paul A. Karger, Roger R. Schell, 
<http://www.acsac.org/2002/papers/classic-multics.pdf>Thirty Years 
Later: Lessons from the Multics Security Evaluation (IBM, 2002) is an 
interesting retrospective which compares actual deployed security in 
today's hostile environment with what was demonstrated to be possible 
decades ago. It concludes that Multics offered considerably stronger 
security than most systems commercially available in 2002.

Thanks for sharing that reference.  I didn't know (or didn't recall) 
that such Trojan Horses can be so strongly invisible.

I don't see how that concept provides much of a distinction for this 
discussion, however, as I expect such a Trojan Horse could be placed 
in either a traditional memory protected system or in a system with 
language based security - if one could once get access to the 
compiler used to compile the system.  Perhaps this argument could 
suggest that, because of this vulnerability to such Trojan Horses, 
traditional systems based on memory protection are just as vulnerable 
as those relying on language based protection (? - contrary to my 
earlier assertions?).  Namely, as Thompson says, you really can't 
trust any code that you didn't build yourself up from the binary.  In 
that case I think we're all in trouble.

--Jed  http://www.webstart.com/jed-signature.html  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090908/1d11e3d8/attachment-0001.html

More information about the cap-talk mailing list