the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))

Jonathan S. Shapiro
Wed, 24 Jan 2001 12:11:38 -0500

> As you know, and I believe agree with,
> disputes that the ACL
> security model can be enforced.

I know that the page says this. I dispute that it is true.

Since we are engaged in a discussion about mechanisms vs. policies, we need
to speak very precisely here. The ACL *mechanism* is perfectly enforceable.
It says merely that we can tag processes with some form of tag, and we can
tag objects with pattern matchers such that a process must (or must not)
have tag X in order for operation Y to proceed. This mechanism is perfectly
clear and perfectly enforceable.

The failure of ACLs is a failure of policy, not of mechanism. The policy
failure arises when we notice that stopping processes tagged with tag X from
*directly* performing an operation does not prevent that process from
*indirectly* performing an operation. Note, however, that this is NOT a
failure of the ACL mechanism. The ACL mechanism never claimed to stop such
behavior, just as the capability mechanism never claimed to stop such

The true problem with the discussion about ACLs (both ours and also the
popular dialog) is that it conflates two completely distinct things: a
mechanism that works (but appears to be useless, insofar as it does not
enable support of any security policies that we desire) and a policy that is
demonstrably unenforceable. In the future, when speaking about ACLs, we need
to clearly distinguish between discussion of the desired (but unenforceable)
policy that user X will not obtain access to object Y, and the mechanism
that *subject* X will not *directly* gain access to object Y.

However, we should not neglect the possibility that there are enforceable
policies that can be constructed more efficiently using ACLs (possibly
assisted by capabilities) than they can be using capabilities alone. Systems
enforcing MLS appear to be an example of such a case. Note that unlike
preventing users from gaining access, proxies across a compartment boundary
through a mediated interface are not possible.