A couple of days ago i attended an SGI event to discuss SGI's directions and involvement in Linux systems. They are planning to sell Intel-based machines running Linux, with the SGI logo stamped on the box. They weren't very clear about the migration path they expect IRIX software to take, but they do seem to be very enthusiastic about Linux in general. They plan to contribute some big chunks of IRIX operating system technology to the Linux open-source effort, such as their journalling filesystem, XFS, and improvements to the TCP/IP stack which they claim can enhance web server performance by up to 10 times. IRIX 6.5 is under C2 evaluation, and Trusted IRIX 6.5 is under B1 evaluation.
I went to a session on "security in Linux" that morning, which was led by Casey Schaufler <casey@sgi.com>. He is leading the Linux security development effort, which includes plans to provide the TCB Definition and Audit Trail required for C2, and the Mandatory Access Control and Access Control List features required for B1 -- and "capabilities".
Of course, the mention of "capabilities" caught my attention immediately. It became clear that what he was talking about was not our understood meaning of "capability-based security" but rather "POSIX 1.e capabilities", which are really "privileges" but somehow got misnamed "capabilities" along the way (how awful!). Much to my dismay, i have discovered that the terminology collision is rampant, as in these documents:
"Capabilities done right" (Linux kernel mailing list) http://www.uwsg.indiana.edu/hypermail/linux/kernel/9905.2/0019.html
POSIX 1.e Summary
http://www.guug.de/~winni/posix.1e/
Casey told me that IRIX has had "capabilities" for some time, and this feature was announced as "capabilities" in IRIX 6.5:
"IRIX 6.5 Security Features", SGI Security Advisory http://csclub.stthomas.edu/~bugtraq/1999/msg00416.html
It was encouraging to see the following document start out by clearly defining the difference between capabilities and privileges -- but then it goes on to ignore its definition and call POSIX privileges "capabilities".
Linux Capability FAQ
http://www.uwsg.indiana.edu/hypermail/linux/kernel/9808.1/0643.html
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
Similarly, the feature is entitled "linux-privs" by the following documentation -- but called "capabilities" throughout.
Linux-Privs Documentation
http://www.kernel.org/pub/linux/libs/security/linux-privs/doc/linux-privs.html/linux-privs-1.html
The library is called "libcap", and many of the symbols and constants start with "cap" or "CAP_".
A quick look at the linux-kernel mailing list shows lots and lots of messages about "capabilities".
http://www.progressive-comp.com/Lists/?l=linux-kernel&s=Capabilities+morgan
I went up to chat with Casey after his presentation, and discuss capabilities vs. privileges with him. Summary:
My conclusion is that he probably "got it" but that he's not as enthusiastic about the benefits of capabilities as we are; and he does think that ACLs and POSIX privileges "can work", so it's okay to go ahead that way. His colleague said that it sounded "weird" to be able to define your own security behaviour in terms of object behaviour -- but he definitely looked interested, and he had an encouragingly thoughtful expression on his face.
Casey seemed very open-minded and knowledgeable in general; he was quite happy to argue with me, and even said "hey, we need some security guys" (when i said, "even though i'd just argue with you?" he responded "all the better"). He had not heard of EROS, E, or KeyKOS before. I am planning to send him some references (please suggest some good ones, and a good way to present them!) At one point during his talk he mentioned that there exists an A1-level (mathematically-proven) operating system out there, which surprised me because i thought that EROS was the only one; he cited SCOMP.
Hmm. Perhaps an implementation of the confused deputy using POSIX privileges would convince him and the Linux-kernel folk. I don't know how they would solve the problem starting from where they are now, though. Maybe it's even impossible without starting over.
So... how to proceed? We have a potentially huge terminology battle on our hands. I'm guessing that some of you (Jonathan? Norm?) already know about POSIX 1.e privileges/"capabilities". Did you know of the extent of the terminology leakage? It would appear to be more serious now that the Linux people and the SGI security people are both using this term, and that they seem to be the only ones really working on a major operating system security effort in the limelight these days. I think it's important to stay in touch with Casey.
Do we even need a new word for "capability"?
"Don't worry about people stealing an idea. If it's original, you'll have to jam it down their throats."