the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))
Fri, 26 Jan 2001 09:00:47 -0500
Mark S. Miller wrote:
> At 07:50 AM Wednesday 1/24/01, Jonathan S. Shapiro wrote:
>> may feel that ACLs are a bad protection model, but it is inarguable that we
>> can specify their behavior and enforce the specification.
> As you know, and I believe agree with,
> http://www.erights.org/elib/capability/conspire.html disputes that the ACL
> security model can be enforced.
> Of the subset of ACLs that can be enforced, the only part of that subset not
> expressible in capabilities that's been identified is the one Ralph Hartley
> pointed out, also explained on that page.
That is a counter example not an exhaustive list. When you make a
statement like "this proves there is no X", and I reply "but here is an
X", you are not justified in saying "this proves there is only one X". A
"proof" of a proposition with a known counter example is like an OS with
a known security hole; one is enough, but there is never just one.
I still think the best example of an enforceable non transferable power
is one that you dismissed as not computational enough. Mary wishes to
allow Bob to sleep with her, she does not want to sleep with Mallet,
even if Bob want's her to. This does have a computational equivalent.
Mary wants to allow the program Bob to run in a sealed box whenever Bob,
who also runs on the outside, makes a request, she does not want to let
mallet do that. Bob's identity can be proven by a signature, and he
can't take anything from mallet with him into the box.
Another example is a life estate. Mary wants to allow Bob to do
something as long as Bob lives. Bob is permitted to transfer the power
during his lifetime, so running a message laundry does not violate the
rule. Assuming Mary has a reliable way to know that messages actually
come from Bob (cryptographic signatures can be given away or stolen so
they are not reliable), Bob has no way to give Mallet the right in a way
that will survive him. Programs, processes, connections etc. do die.
A more concrete example would be where Bob is defined as the entity on
the other end of a connection. Mary wants to give out a power that only
lasts as long as that connection. She could issue a capability that is
revoked when the connection closes IF she is sure she will be notified.
If the underlying protocol identifies the connection a message comes
from but gives no notice when a connection closes ...
The bottom line. ACLs can enforce things capabilities cannot if and only
if there exist verifiable identities that really matter. Since ACLs are
based on identity this should not be a surprise.