• Messages sorted by: [ date ][ thread ][ subject ][ author ] [ Next ]
• [ Previous ] In reply to: Mark S. Miller Next in thread: Mark S. Miller

As promised, here is the "more later." I'm taking various bits as separate topics.

> My falsifiable claim: any inter-machine
> "partitioning" protocol does not enhance
> any actual security. These kinds of
> unpartitionable data-capabilities implement
> the most capability security that can be
> implemented in the distributed context.
> Machines cannot be confined.

I believe that this argument is false. There is a level of abstraction at which it is true, but there is a fallacy embedded within it.

Consider a non-distributed capability system such as EROS. To most of the software on the machine, capabilities are opaque. To the kernel, they are directly manipulatable and their representation as bits is manifest. This is okay because the kernel is trusted software.

To implement a distributed, user-opaque version of this system, we need:

1. A mechanism for suitably encrypted communication between the two kernels over the otherwise open network. This is straightforward; the problem is merely where the keys should be stored.
2. A mechanism for secure bootstrap of those kernels.
3. A mechanism by which one machine may verify that the other's kernel is trusted.

The last two problems can be solved by use of a number of hardware add-in cards.

Therefore, I believe that MarkM's claim is flawed. The flaw lies in the presuption that no software can be trusted, and that if it could there is no means to assure that the software is running on real hardware.

Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595

[ Next ]
• [ Previous ] In reply to: Mark S. Miller Next in thread: Mark S. Miller