[E-Lang] Re: Old Security Myths Continue to Mislead

Jonathan S. Shapiro shap@eros-os.org
Mon, 6 Aug 2001 17:51:20 -0400

Some commens on Norm's two notes. I trust he will incorporate these into the
originals, thus I am not composing a new web page.

In second section of ModCap3, you meant "Extensible Security" *section*, not

A case could be made that mediation by the OS is ineffective if capabilities
are cryptographic or sparse. This argument is wrong because of the
feasibility of proxying. The discussion could benefit by noting this.

The terms "simple capability system" and "unmodified capability system" are
used in the paper purely to emphasize the distinction from so-called
"modified capability systems". In response to your comments in ModCap, the
term "modified capability system" did *not* refer to introduction of a
factory-like mechanism. It referred to the introduction of orthogonal
protection. Boebert was concerned with the enforcement of MLS, and in the
absence of a factory-like mechanism he could not see that a KeySAFE-like
design was feasible.

A careful reading of the *-property paper (Boebert and Kain, the paper to
which Norm refers) reveals that they failed to distinguish data-read
authority from capability-read authority. In the absence of this
distinction, it is indeed true that read-up authority implies write-down
authority in a pure capability system (because you can read-up a writable
capability). Under this assumption, neither MLS nor confinement can be

I have always found it curious that Boebert made this assumption. The
distinction between the two operations was present in all of the real
capability systems going back as far as CAP and the Chicago Magic Number
machine, and Boebert knew of both efforts.

Karger, by the way, later claimed in his dissertation that capability
systems could not enforce confinement. A careful reading of his definitions
shows a terminology error. His definition of confinement is in fact the
*-property. Karger has acknowledged this minor error in the work.