[e-cvs] cvs commit: e/domains/caplet/security/taxonomy index.html
markm@eros.cs.jhu.edu
markm@eros.cs.jhu.edu
Wed, 18 Jul 2001 23:12:52 -0400
markm 01/07/18 23:12:52
Modified: domains/caplet/security/taxonomy index.html
Log:
fixed html typos caught by Opera
Revision Changes Path
1.5 +87 -81 e/domains/caplet/security/taxonomy/index.html
Index: index.html
===================================================================
RCS file: /cvs/e/domains/caplet/security/taxonomy/index.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- index.html 2000/08/10 15:31:30 1.4
+++ index.html 2001/07/19 03:12:52 1.5
@@ -67,21 +67,21 @@
detailed box structure.
<p>Other contributions to this Fact Forum can be found <a
href="http://discuss.foresight.org/~foresight/CSFactForum.html">here</a>.
- <h2>
+
<hr width="100%">
- Understanding the Limits of the Possible</h2>
- In many fields of engineering, productive work only takes off once the shape
- of the boundary between the possible and impossible is understood. In mechanical
- engineering, people kept building perpetual motion machines for a long time
- after they were generally understood to be impossible. People kept trying
- because the only known direction toward the good was toward perpetual motion.
- Then <a href=
+ <h2>Understanding the Limits of the Possible</h2>
+ <p>In many fields of engineering, productive work only takes off once the
+ shape of the boundary between the possible and impossible is understood.
+ In mechanical engineering, people kept building perpetual motion machines
+ for a long time after they were generally understood to be impossible.
+ People kept trying because the only known direction toward the good was
+ toward perpetual motion. Then <a href=
"http://physics.hallym.ac.kr/reference/physicist/Carnot_Sadi.html">Carnot</a>
- invented what we now call <a
+ invented what we now call <a
href="http://www.combustion.me.vt.edu/ME3105/lect17.htm">Carnot efficiency</a>--a
- precise statement of the shape of this boundary for mechanical efficiency.
- With this, thermodynamics was invented and sensible people stopped trying
- to create perpetual motion machines.
+ precise statement of the shape of this boundary for mechanical efficiency.
+ With this, thermodynamics was invented and sensible people stopped trying
+ to create perpetual motion machines. </p>
<p>The computer security field needs to stop building perpetual motion machines.
Currently, possible and impossible goals are mixed together without distinction.
This leads to frustration, as one cannot succeed at impossible goals.
@@ -97,17 +97,17 @@
used to in the physical world. Fortunately, we can do so, and more. This
fact forum is dedicated to developing the understandings needed for us
to succeed.
- <h2>
+
<hr width="100%">
- Cooperation Without Vulnerability</h2>
- <img src="boundary.gif" height=335 width=416 align=RIGHT>For many, the intuitive
- purpose of computer security is to keep bad things from happening, i.e.,
- to avoid eavesdropping, damage, or attack. This fact forum refers to this
- goal as <i>safety</i>, and it is a necessary part of any computer security
- system. However, by itself safety is a trivial goal: nothing bad can happen
- in a computer that is turned off. Obviously then, the goal of computer security
- must be to achieve safety while still allowing some kinds of good things
- to happen. But what kinds of good things?
+ <h2>Cooperation Without Vulnerability</h2>
+ <p><img src="boundary.gif" height=335 width=416 align=RIGHT>For many, the
+ intuitive purpose of computer security is to keep bad things from happening,
+ i.e., to avoid eavesdropping, damage, or attack. This fact forum refers
+ to this goal as <i>safety</i>, and it is a necessary part of any computer
+ security system. However, by itself safety is a trivial goal: nothing
+ bad can happen in a computer that is turned off. Obviously then, the goal
+ of computer security must be to achieve safety while still allowing some
+ kinds of good things to happen. But what kinds of good things? </p>
<p>The most obvious answer is <i>general purpose computation</i>. This is
also necessary in any computer security system, and corresponds to <a href="perimeter.html">perimeter
security</a>. However, by itself, it still doesn't do us much good. A
@@ -162,9 +162,9 @@
which points are possible within one model but not another we discover
their relative advantages. Plausibly, different models will be found better
for different purposes.
- <h2>
+
<hr width="100%">
- The Difference Between Theory and Practice</h2>
+ <h2>The Difference Between Theory and Practice</h2>
<blockquote><i><font size=+1>In theory, there's no difference between theory
and practice. In practice there is.</font></i></blockquote>
<ul>
@@ -178,18 +178,18 @@
</ul>
</ul>
</ul>
- Of course, the above is an oversimplified view of security engineering.
- The varieties of safety have a more complex relationship than simply <i>more
- safe</i> and <i>less safe</i>. Similarly with cooperation. The question
- of theoretical possibility, in a formal computer science sense, does not
- have as much relationship to <i>practicality </i>as one might like. An arrangement
- that is theoretically possible may be impractical. Worse, an arrangement
- that is theoretically impossible may be practical anyway. For example, though
- a theoretically possible attack prevents a given arrangement from being
- theoretically safe, if the attack itself is impractical the arrangement
- may be practically safe. This fact forum is relevant to real world engineering
- only if it helps us understand the boundary between practical and impractical.
- Why not focus on that instead?
+ <p>Of course, the above is an oversimplified view of security engineering.
+ The varieties of safety have a more complex relationship than simply <i>more
+ safe</i> and <i>less safe</i>. Similarly with cooperation. The question
+ of theoretical possibility, in a formal computer science sense, does not
+ have as much relationship to <i>practicality </i>as one might like. An
+ arrangement that is theoretically possible may be impractical. Worse,
+ an arrangement that is theoretically impossible may be practical anyway.
+ For example, though a theoretically possible attack prevents a given arrangement
+ from being theoretically safe, if the attack itself is impractical the
+ arrangement may be practically safe. This fact forum is relevant to real
+ world engineering only if it helps us understand the boundary between
+ practical and impractical. Why not focus on that instead? </p>
<p>Our technology changes quickly, but theory is timeless. Questions of
practicality derive from current processor speeds, relative market share
of different products, consumer perceptions, and more. Many of us--myself
@@ -199,12 +199,12 @@
of engineering practicality are plausibly fairly timeless (such as the
difficulty of preventing <a href="confinement.html">wall banging</a>),
and such issues are welcome in this forum.
- <h2>
+
<hr width="100%">
- Taxonomies of Issues</h2>
- Each section includes a table of sub-topics. Each table cell is or will
- be a link to a child page expanding on that sub-topic, and often with a
- table of links to further children.
+ <h2>Taxonomies of Issues</h2>
+ <p>Each section includes a table of sub-topics. Each table cell is or will
+ be a link to a child page expanding on that sub-topic, and often with
+ a table of links to further children. </p>
<h3> <a name="RiskLevels"></a>Levels of Risk</h3>
With the above framework, one can ask "for a given pattern of cooperation,
how safe can we be?" Broadly speaking, in decreasing order of safety, three
@@ -222,22 +222,29 @@
</table>
<ul>
- <li> <i>Prevention</i> provides safety by actually making the danger impossible--given
- assumptions and caveats that must be made explicit. Ideally, prevention
- systems provide the analog of physical law for computation. For example,
- given a correct realization of the Java architecture, a Java applet
- could no more write to an arbitrary memory location than you or I can
- go faster than the speed of light.</li>
- <li> <i>Deterrence</i> is more like the world of human military, legal,
- or commercial arrangements. These systems seek to discourage attack
- by arranging for it not to be in anyone's interest to attack, or better,
- for it to be against the interests of those with the opportunity. On
- this topic, we can be badly mislead by our intuitions of the real world.
- One cannot punish an object by jailing it.</li>
- <li> Much of the world works by polite request, or <i>admonition</i>,
- and the decent willingness of others to often abide by these admonitions,
- even when there are no consequences for violation. Often, you can get
- someone to avoid endangering you just by asking them. Software can help.</li>
+ <li>
+ <p><i>Prevention</i> provides safety by actually making the danger impossible--given
+ assumptions and caveats that must be made explicit. Ideally, prevention
+ systems provide the analog of physical law for computation. For example,
+ given a correct realization of the Java architecture, a Java applet
+ could no more write to an arbitrary memory location than you or I
+ can go faster than the speed of light.</p>
+ </li>
+ <li>
+ <p><i>Deterrence</i> is more like the world of human military, legal,
+ or commercial arrangements. These systems seek to discourage attack
+ by arranging for it not to be in anyone's interest to attack, or better,
+ for it to be against the interests of those with the opportunity.
+ On this topic, we can be badly mislead by our intuitions of the real
+ world. One cannot punish an object by jailing it.</p>
+ </li>
+ <li>
+ <p> Much of the world works by polite request, or <i>admonition</i>,
+ and the decent willingness of others to often abide by these admonitions,
+ even when there are no consequences for violation. Often, you can
+ get someone to avoid endangering you just by asking them. Software
+ can help.</p>
+ </li>
</ul>
Deterrence and admonition blend into each other. If someone repeatedly violates
my admonitions, I may eventually find out and stop dealing with them. This
@@ -253,13 +260,12 @@
and the one that most admits progress by formal reasoning. Accordingly,
I expect most activity in this fact forum to occur in this area, so it
contains the bulk of seeding framework.
- <h3>
+
<hr width="100%">
- The Classic Saltzer and Schroeder criteria</h3>
- We have received permission from Saltzer and Schroeder to upload their article
- to the web. <a
-href="http://cap-lore.com/CapTheory/ProtInf/">This</a> is the OCRed
- result.
+ <h3>The Classic Saltzer and Schroeder criteria</h3>
+ <p>We have received permission from Saltzer and Schroeder to upload their
+ article to the web. <a
+href="http://cap-lore.com/CapTheory/ProtInf/">This</a> is the OCRed result. </p>
<p>These criteria were also used in <a
href="http://www.cs.princeton.edu/sip/pub/extensible.html">Extensible Security
Architectures for Java</a>, by Wallach et al. We are seeking permission
@@ -413,16 +419,16 @@
</tr>
</table>
</center>
- The columns above are security models to be examined. Saltzer and Schroeder
- examined Capabilities and Access Control Lists. Wallach <i>et al</i> examined
- Capabilities, Stack Introspection (what Netscape uses), and Type Hiding.
- Though Ring Security is examined by neither, it is the major paradigm of
- both Multics and <a href="http://www.disa.mil/MLS/info/orange/">The Orange
- Book</a>, and so bears examination by these criteria. The first eight rows
- above represent the evaluation criteria used by both these papers.
- The last four are further criteria introduced by Wallach <i>et al</i>. When
- we have permission to upload the Wallach document to html, these row and
- column headings will be linked appropriately.
+ <p>The columns above are security models to be examined. Saltzer and Schroeder
+ examined Capabilities and Access Control Lists. Wallach <i>et al</i> examined
+ Capabilities, Stack Introspection (what Netscape uses), and Type Hiding.
+ Though Ring Security is examined by neither, it is the major paradigm
+ of both Multics and <a href="http://www.disa.mil/MLS/info/orange/">The
+ Orange Book</a>, and so bears examination by these criteria. The first
+ eight rows above represent the evaluation criteria used by both these
+ papers. The last four are further criteria introduced by Wallach
+ <i>et al</i>. When we have permission to upload the Wallach document to
+ html, these row and column headings will be linked appropriately. </p>
<p>The strange identifiers within the table are simply unique anchor points
for you to attach commentary about how a given security model relates
to a given criteria. In this context, use the "<tt><font
@@ -464,14 +470,14 @@
</ul>
</ul>
</blockquote>
- I admit it, I have an ax to grind. I passionately believe in a particular
- security model--pure capabilities--and feel it has been maligned largely
- by two widespread misunderstandings: capabilities were wrongly thought incapable
- of providing certain security arrangements, and some security arrangements
- promised by other models were wrongly thought to be possible. My first hope
- for this forum is to repair both errors. No doubt I have such misunderstandings
- of other models, and I hope to repair these as well. Now you know where
- I'm coming from.
+ <p>I admit it, I have an ax to grind. I passionately believe in a particular
+ security model--pure capabilities--and feel it has been maligned largely
+ by two widespread misunderstandings: capabilities were wrongly thought
+ incapable of providing certain security arrangements, and some security
+ arrangements promised by other models were wrongly thought to be possible.
+ My first hope for this forum is to repair both errors. No doubt I have
+ such misunderstandings of other models, and I hope to repair these as
+ well. Now you know where I'm coming from. </p>
<p>However, I have created two separate document structures. This tree of
pages, rooted at this page, is my attempt at neutral framework--a semi-fair
playing field for starting the discussion. Separately, I am writing <a href="../editorial/index.html">editorial</a>