Re: Linux, IRIX, and "POSIX Capabilities" Ka-Ping Yee (ping@lfw.org)
Sun, 7 Nov 1999 17:47:39 -0800 (PST)

On Sun, 7 Nov 1999, Mark S. Miller wrote:
>
> I don't think mathematical proof is either necessary or sufficient for A1.
[...]
>
> I'm sure other's on the list can give a much more accurate summary of the
> issues.

Yes, please. I'm curious about SCOMP, if anyone knows what it is. All i heard was that it was used as a reference so that they could show that A1 was an achievable level.

> How shall we put the abusers on the defensive? Besides using crit,
> I notice that most of Ping's URLs lead to email archives. I would
> guess that most of the corresponding lists are open subscription.
> Shall we divide 'em up? Any volunteers?

I think the most important place to start would be the linux-kernel mailing list. But i know next to nothing about the kernel, and would have little to contribute other than dissension (see next paragraph).

> But this is only a battle. The only way to win the war is to succeed
> at explaining to people why they should want capabilities rather than
> privileges.

Indeed. But what the Linux folk are faced with is a huge installed-base problem that we don't have. That's why i asked the question of whether it is possible to get there (capabilities) from here (Linux) in my last message. The problem they are trying to solve is to improve security while maintaining compatibility with all this Unix stuff. Is it possible to solve this problem? Is it possible to construct an abstraction that will move Linux security in a capabilities direction while presenting a mostly familiar interface to most Unix tools? For example, for programs to work with Unix pipes rather than filenames on the command line is a big step forward. This is the really important question, and i would really like to solicit some opinions and deep thinking on this issue from all of you guys.

If there is no good solution, then we can't really provide any help to the linux-kernel people, and might as well not go around pretending that we can. (We could still fight on the terminology issue, but if we can't actually contribute anything useful we are much more likely to be ignored.)

> I think showing how privileges are vulnerable to Confused Deputy
> would be a great place to start.

Agreed, it would be a worthwhile exercise. After that, what? If we don't provide people with a way out, or some sort of alternative direction to go in, they will probably just throw up their hands and say "oh, well" and go on with what they're doing.

> This isn't a "major operating system security effort". This is a
> major "let's patch some holes in Unix" effort. Perhaps some of the
> people doing this would agree.

I meant that it is "major" in the sense that it seems to be the ongoing security development effort to which the most attention is currently being paid, or where a lot of attention will potentially soon be focused. In short, "major" in terms of mindshare, if you will, which makes it very important. This is one of those rare cases where operating system design in taking place out in the open, and anyone can observe the progress of the discussion and even participate, as long as he or she is polite.

We're talking about the core security model of possibly the next dominant server operating system here. Undoubtedly the security model will come under attack from Microsoft and others, but clearly there is a lot of hype around Linux and it will attract plenty of experts and mischief-makers alike.

> If Casey thought it was a major
> security effort, I doubt he would have said "hey, we need some
> security guys". This means they know that they are not security guys.
> This is cause for much hope.

I believe that he thinks of himself and his team as a group of security guys. He knows a lot more context than i do (and i don't really consider myself a security guy... more of an enthusiast, i suppose). He just seems to have the view that more perspectives are better than one, and i think he respected the argument i made about the co-operating conspirators. I did see cause for hope in that he understood it so quickly.