Thoughts on droplets
Mon, 1 Nov 1999 20:36:48 -0500
As promised, here is the "more later." I'm taking various bits as separate
> My falsifiable claim: any inter-machine
> "partitioning" protocol does not enhance
> any actual security. These kinds of
> unpartitionable data-capabilities implement
> the most capability security that can be
> implemented in the distributed context.
> Machines cannot be confined.
I believe that this argument is false. There is a level of abstraction at
which it is true, but there is a fallacy embedded within it.
Consider a non-distributed capability system such as EROS. To most of the
software on the machine, capabilities are opaque. To the kernel, they are
directly manipulatable and their representation as bits is manifest. This
is okay because the kernel is trusted software.
To implement a distributed, user-opaque version of this system, we need:
1. A mechanism for suitably encrypted communication between the two kernels
over the otherwise open network. This is straightforward; the problem is
merely where the keys should be stored.
2. A mechanism for secure bootstrap of those kernels.
3. A mechanism by which one machine may verify that the other's kernel is
The last two problems can be solved by use of a number of hardware add-in
Therefore, I believe that MarkM's claim is flawed. The flaw lies in the
presuption that no software can be trusted, and that if it could there is
no means to assure that the software is running on real hardware.
Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595