Linux, IRIX, and "POSIX Capabilities"

Mark S. Miller
Sun, 07 Nov 1999 16:59:59 -0800

At 01:50 PM 11/7/99 , Ka-Ping Yee wrote:
>(mathematically-proven) operating system out there, which surprised
>me because i thought that EROS was the only one; he cited SCOMP.

I don't think mathematical proof is either necessary or sufficient for A1.  Based on the similarities between EROS & KeyKOS and on KeyKOS's experience with attempting to get a security certification, I would expect that a B3 level system could be built on EROS without changing the kernel.  However, to make it from there to A1, I think the whole system would have to rewritten by programmers with security clearance.

I'm sure other's on the list can give a much more accurate summary of the issues.

>Do we even need a new word for "capability"?

Back when we had similar terminological abuse by Netscape, I found the idea of a new term appealing.  After all, besides the trespassing issue, I just don't think "capability" is a great name for the concept.  I originally grabbed "" thinking that "erights" was a good alternate term.  However, when trying to write using the new coinage, the cost of cutting ourselves off from our history was too great.  Would we say "KeyKOS is a capability system, which we now call 'erights'." or "KeyKOS is an erights system, but in its historical documents, 'erights' were called 'capabilities'."?  Better to just keep using our word in a way consistent with its history, try to get the abusers on the defensive, and outlast them.  We seem to have outlasted Netscape's abuse.

When we need to, so to speak, introduce new terminology, we can refer to "our" capabilities as "capabilities in the technical sense", whereas "Posix capabilities", like "Netscape capabilities", are "capabilities in a marketing sense".

(At the site, I have now given up on trying to rename capabilities.  A capability is a capability.  An eright is a kind of right that can be securely transferred through ERTP.  This latter needed a name anyway, and "eright" fits it perfectly.  Capabilities are not assayable, erights are.  Yes, erights are built from nothing but capabilities -- the assayability happens at a higher level of abstraction.)

How shall we put the abusers on the defensive?  Besides using crit, I notice that most of Ping's URLs lead to email archives.  I would guess that most of the corresponding lists are open subscription.  Shall we divide 'em up?  Any volunteers?  

But this is only a battle.  The only way to win the war is to succeed at explaining to people why they should want capabilities rather than privileges.  I think showing how privileges are vulnerable to Confused Deputy would be a great place to start.

>more serious now that the Linux people and the SGI
>security people are both using this term, and that they seem to be
>the only ones really working on a major operating system security
>effort in the limelight these days.

This isn't a "major operating system security effort".  This is a major "let's patch some holes in Unix" effort.  Perhaps some of the people doing this would agree.  If Casey thought it was a major security effort, I doubt he would have said "hey, we need some
security guys".  This means they know that they are not security guys.  This is cause for much hope.

>I think it's important to stay in touch with Casey.

Feel free to forward this message to him, or otherwise as you feel appropriate..