Communicating Conspirators
Mark S. Miller
markm@caplet.com
Thu, 18 Nov 1999 14:32:07 -0800
At 12:27 PM 11/18/99 , shapj@us.ibm.com wrote:
>However, we *can* specify and enforce policies in which *programs* are not
>permitted to transfer powers. In this sense the ACL mechanism is not
>fraudulent.
>
>I think that the philosophical problem with ACLs is not that they describe
>unenforceable policies (they do not),
Given your Phd thesis http://www.eros-os.org/papers/shap-thesis.ps , I'm am
especially confused to hear you say this. (It must mean I misunderstood
your thesis.)
The only mean I know of, or that you and I have ever discussed, for
preventing programs from transferring powers is confinement. The
anti-transfer policies confinement makes possible are expressed and enforced
well with capabilities. I thought your thesis demonstrates that these same
policies are neither expressable nor enforceable within an ACL system. I
continue to know of no technology would would make the anti-transfer
policies expressable by ACL enforceable, and I think I know abstract reasons
(repeated several times in this thread) why, within the computational realm,
no technology could enforce those policies.
If you know of a way to enforce the policies ACLs express, just among
programs, I'd love to hear about it.
Note: Your MLS challenge may point at non-confinement-like ways to prevent
programs from transferring powers. We await your response to Hal's response
to your challenge. However, this is still not remotely like the kinds of
policies ACLs can express.
Cheers,
--MarkM