Split Capabilities: Making Capabilities Scale
Jonathan S. Shapiro
shap@eros-os.org
Tue, 25 Jul 2000 11:35:33 -0400
> > This point raises an interesting question. Knowing that an operation is
> > possible makes a certain class of attacks possible. Hence, we want to
> > institute a policy of least information.
>
> Umm ... security that relies on people not knowing things is generally
> bad - your threat model should generally assume that the attacker is in
> full possession of the facts about the system (after all, he wrote it,
> didn't he?).
Alan's comment does indeed sound like security by obscurity, unless we mean
"unknown" in some mathematical sense (as with random numbers).
The one thing we know conclusively about security by obscurity is that it
has never ever ever worked.
shap