[E-Lang] [EROS-Arch] Re: Interaction Design for End-User Secu
rity
Bill Frantz
frantz@pwpconsult.com
Tue, 10 Apr 2001 12:53:24 -0700
At 8:18 AM -0700 4/10/01, Karp, Alan wrote:
>"Karp, Alan" <alan_karp@hp.com> writes:
>> > >Revoking capabilities does require a proxy service, yes, and that
>> > >proxy service can retain records of which proxies are created for
>> > >whom.
>> >
>> > This approach doesn't sound scalable. Doesn't it require a proxy per
>> > capability per process, at least in the most general case?
>>
>> It requires at least one proxy capability per capability per
>> compartment. There could be any number of processes in a compartment.
>>
>> Each proxy capability should probably be implemented with a separate
>proxy.
>>
>
>So, all processes in the compartment have the same privileges. Isn't that
>an issue for enforcing least privilege?
I would say that all processes in this kind of compartment share the same
revocation policy for objects introduced from outside the compartment.
They can (and should) still use capability discipline with each other to
follow the principle of least privilege.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Microsoft Outlook, the | Periwinkle -- Consulting
(408)356-8506 | hacker's path to your | 16345 Englewood Ave.
frantz@netcom.com | hard disk. | Los Gatos, CA 95032, USA