[cap-talk] Re: [e-lang] Introducing Emily, "...capabilities are useless too..."

Constantine Plotnikov cap at isg.axmor.com
Wed Mar 1 08:05:36 EST 2006


Jed at Webstart wrote:
>
>> If task is not solvable in general, it does not means that it cannot 
>> be solved in some particular case. And if we are solving the problem 
>> in particular case, it is better have some foundation problems like 
>> capability confinement and exception data leaks solved.
>>
> #2.  I won't explicitly address the above means to prevent covert 
> channels except to say that given the history of analysis of covert 
> channels I'm somewhat skeptical of such efforts. 
There are scenarios in which it is possible to make a cost of covert 
channels very high. Lets say we have some analytical program that 
evaluate some tradeable item and gives one of three results:
- item is suitable
- item is not suitable
- item evaluation failed.

If we want to allow one party to run this program, but we do not want 
that program to leak data to the originating party. We could do the 
following:
1. Install program on computer disconnected from network in a 
electromagnetically-and-sound-shielded bunker, use fully charged cell as 
power source.
2. Run the program. If charged cell is fully used before calculation is 
completed or if some fixed timeout passes, consider result to be "item 
evaluation failed".
3. Write the result on piece of paper.
5. Send result by email on next day morning.
6. Discharge cell completely and start charging it on the next day. Also 
a good idea is to destroy computer afterwards just in case ;).

This would raise cost of creating a covert channel quite highly, so task 
might be solved in sense of trade-offs.
>
> #3.  My main reason for writing is to dispute this statement:
>
>> Also if we extend your argument, capabilities are useless too, 
>> because capabilites do no limit authority exchange use in presense of 
>> covert channels. If we have bidirectional covert channel, we can just 
>> forward requests to capabilites on other end by proxying.
>
> I hope in the above you are meaning that capabilities are useless too 
> <in preventing communication through covert channels> vs. being 
> useless in general.  
Qualifier is indeed is missing here, but it is another qualifier. I have 
meant "... capabilities are useless for giving meaningful guarantees 
about authority graph in the system in presence of covert channels". 
Note that I do not believe that capabilities are useless for this task, 
they give some guarantees, but these guarantees just are not absolute.

The statement is an reply to the following text from David Wagner in one 
of the previous emails in the thread:
> I'd prefer a system where programmers can reason about their code and we
> can make some meaningful guarantees.  If we can't make any guarantees,
> or if we're just going to kludge up something that will only slow an
> attacker down for a few minutes, we can do that without inventing a new
> programming language.
The phrase was used here to indicate what I believe wrong with paragraph 
above. This was just a part of an ad absurdum argument.

Constantine





More information about the e-lang mailing list