the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))

Ralph Hartley hartley@aic.nrl.navy.mil
Fri, 26 Jan 2001 09:00:47 -0500


Mark S. Miller wrote:

> At 07:50 AM Wednesday 1/24/01, Jonathan S. Shapiro wrote:
> 
>> You
>> may feel that ACLs are a bad protection model, but it is inarguable that we
>> can specify their behavior and enforce the specification.
> 
> As you know, and I believe agree with, 
> http://www.erights.org/elib/capability/conspire.html disputes that the ACL 
> security model can be enforced.  
> 
> Of the subset of ACLs that can be enforced, the only part of that subset not 
> expressible in capabilities that's been identified is the one Ralph Hartley 
> pointed out, also explained on that page.

That is a counter example not an exhaustive list. When you make a 
statement like "this proves there is no X", and I reply "but here is an 
X", you are not justified in saying "this proves there is only one X". A 
"proof" of a proposition with a known counter example is like an OS with 
a known security hole; one is enough, but there is never just one.

I still think the best example of an enforceable non transferable power 
is one that you dismissed as not computational enough. Mary wishes to 
allow Bob to sleep with her, she does not want to sleep with Mallet, 
even if Bob want's her to. This does have a computational equivalent. 
Mary wants to allow the program Bob to run in a sealed box whenever Bob, 
who also runs on the outside, makes a request, she does not want to let 
mallet do that. Bob's identity can be proven by a signature, and he 
can't take anything from mallet with him into the box.

Another example is a life estate. Mary wants to allow Bob to do 
something as long as Bob lives. Bob is permitted to transfer the power 
during his lifetime, so running a message laundry does not violate the 
rule. Assuming Mary has a reliable way to know that messages actually 
come from Bob (cryptographic signatures can be given away or stolen so 
they are not reliable), Bob has no way to give Mallet the right in a way 
that will survive him. Programs, processes, connections etc. do die.

A more concrete example would be where Bob is defined as the entity on 
the other end of a connection. Mary wants to give out a power that only 
lasts as long as that connection. She could issue a capability that is 
revoked when the connection closes IF she is sure she will be notified. 
If the underlying protocol identifies the connection a message comes 
from but gives no notice when a connection closes ...

The bottom line. ACLs can enforce things capabilities cannot if and only 
if there exist verifiable identities that really matter. Since ACLs are 
based on identity this should not be a surprise.

Ralph Hartley