Communicating Conspirators

Mark S. Miller markm@caplet.com
Thu, 18 Nov 1999 14:32:07 -0800


At 12:27 PM 11/18/99 , shapj@us.ibm.com wrote:
>However, we *can* specify and enforce policies in which *programs* are not
>permitted to transfer powers. In this sense the ACL mechanism is not
>fraudulent.
>
>I think that the philosophical problem with ACLs is not that they describe
>unenforceable policies (they do not), 

Given your Phd thesis http://www.eros-os.org/papers/shap-thesis.ps , I'm am 
especially confused to hear you say this.  (It must mean I misunderstood 
your thesis.)

The only mean I know of, or that you and I have ever discussed, for 
preventing programs from transferring powers is confinement.  The 
anti-transfer policies confinement makes possible are expressed and enforced 
well with capabilities.  I thought your thesis demonstrates that these same 
policies are neither expressable nor enforceable within an ACL system.  I 
continue to know of no technology would would make the anti-transfer 
policies expressable by ACL enforceable, and I think I know abstract reasons 
(repeated several times in this thread) why, within the computational realm, 
no technology could enforce those policies.

If you know of a way to enforce the policies ACLs express, just among 
programs, I'd love to hear about it.

Note: Your MLS challenge may point at non-confinement-like ways to prevent 
programs from transferring powers.  We await your response to Hal's response 
to your challenge.  However, this is still not remotely like the kinds of 
policies ACLs can express.


         Cheers,
         --MarkM