[cap-talk] Video of Marc Stiegler's talk at Google : "The Lazy Programmer's Guide to Secure Computing"
daw at cs.berkeley.edu
Wed Mar 31 16:59:12 PDT 2010
Mike Samuel wrote:
>Are covert channels not a possible system integrity issue?
Covert channels are a confidentiality issue.
If the integrity of the system relies upon the confidentiality
of certain secrets, then you have a problem: capability reasoning
is not going to be enough to convince yourself that the integrity
properties are guaranteed.
In Joe-E, the canonical style of reasoning goes something like
this: assume conservatively that the attacker can guess any secrets
you may have, and then by reasoning about the flow of capabilities,
see if you can prove the system secure. Put another way, Joe-E
helps you reason about the flow of capabilities but not the flow
More precisely, when I say "covert channels" above, I mean channels
through which bits may flow. Channels through which capabilities may
flow are a different issue, and must be avoided entirely. Capabilities
can be used to reason soundly about flow of capabilities, but not
for reasoning soundly about flow of bits (in general).
Somewhere on the E web site there is a diagram with a 2x2
chart illustrating bit-confinement vs authority-confinement, and
inward-confinement vs outward-confinement, but I can't find the web page
right now. In the mean time, here is something I wrote a while ago:
More information about the cap-talk