Linux, IRIX, and "POSIX Capabilities"

[Ka-Ping Yee]

On Sun, 7 Nov 1999, Mark S. Miller wrote:
> 
> I don't think mathematical proof is either necessary or sufficient for A1.
[...]
> 
> I'm sure other's on the list can give a much more accurate summary of the
> issues.

Yes, please.  I'm curious about SCOMP, if anyone knows what it is.
All i heard was that it was used as a reference so that they
could show that A1 was an achievable level.

> How shall we put the abusers on the defensive?  Besides using crit,
> I notice that most of Ping's URLs lead to email archives.  I would
> guess that most of the corresponding lists are open subscription.
> Shall we divide 'em up?  Any volunteers?  

I think the most important place to start would be the linux-kernel
mailing list.  But i know next to nothing about the kernel, and would
have little to contribute other than dissension (see next paragraph).

> But this is only a battle.  The only way to win the war is to succeed
> at explaining to people why they should want capabilities rather than
> privileges.

Indeed.  But what the Linux folk are faced with is a huge
installed-base problem that we don't have.  That's why i asked
the question of whether it is possible to get there (capabilities)
from here (Linux) in my last message.  The problem they are trying
to solve is to improve security while maintaining compatibility
with all this Unix stuff.  Is it possible to solve this problem?
Is it possible to construct an abstraction that will move Linux
security in a capabilities direction while presenting a mostly
familiar interface to most Unix tools?  For example, for programs
to work with Unix pipes rather than filenames on the command line
is a big step forward.  This is the really important question,
and i would really like to solicit some opinions and deep thinking
on this issue from all of you guys.

If there is no good solution, then we can't really provide any
help to the linux-kernel people, and might as well not go around
pretending that we can.  (We could still fight on the terminology
issue, but if we can't actually contribute anything useful we
are much more likely to be ignored.)

> I think showing how privileges are vulnerable to Confused Deputy
> would be a great place to start.

Agreed, it would be a worthwhile exercise.  After that, what?
If we don't provide people with a way out, or some sort of alternative
direction to go in, they will probably just throw up their hands and
say "oh, well" and go on with what they're doing.

> This isn't a "major operating system security effort".  This is a
> major "let's patch some holes in Unix" effort.  Perhaps some of the
> people doing this would agree.

I meant that it is "major" in the sense that it seems to be the
ongoing security development effort to which the most attention is
currently being paid, or where a lot of attention will potentially
soon be focused.  In short, "major" in terms of mindshare, if you
will, which makes it very important.  This is one of those rare
cases where operating system design in taking place out in the open,
and anyone can observe the progress of the discussion and even
participate, as long as he or she is polite.

We're talking about the core security model of possibly the next
dominant server operating system here.  Undoubtedly the security
model will come under attack from Microsoft and others, but clearly
there is a lot of hype around Linux and it will attract plenty of
experts and mischief-makers alike.

> If Casey thought it was a major
> security effort, I doubt he would have said "hey, we need some
> security guys".  This means they know that they are not security guys.
> This is cause for much hope.

I believe that he thinks of himself and his team as a group of
security guys.  He knows a lot more context than i do (and i
don't really consider myself a security guy... more of an
enthusiast, i suppose).  He just seems to have the view that
more perspectives are better than one, and i think he respected
the argument i made about the co-operating conspirators.  I did
see cause for hope in that he understood it so quickly.



-- ?!ng