[FoRK] kragen rides again-

Dave Long < dave.long at bluewin.ch > on > Tue Nov 7 03:12:50 PST 2006

> This complexity is only necessary if transitive revocation is a 
> low-level
> feature of your capability system. However Mark Miller has shown that a
> basic object-capability system with no built-in higher level security
> features can implement things like revocation and confinement using 
> proxy
> objects that enforce the higher level requirements. See section II of
> http://www.cypherpunks.to/erights/talks/thesis/markm-thesis.pdf

The promise[0] of capability systems is that permissions needn't be 
lookups: with permissions granted and MMU/etc. set, one can run problem 
state code that makes hardware accesses, instead of continually 
context-switching to an executive to check that one's accesses don't 
exceed one's authority.  Using a caretaker or a membrane seems to add 
back in the layer of indirection that was just removed.

Two tangential thoughts:

- if one has enough logging to run loosely-coupled, then revocation 
should be easier: with containment, we know how far a processes' writes 
are visible.  In principle, one could let small subsystems run with 
stale capabilities, and, just before the updates were committed to be 
consistent with the larger system, verify that the work had been done 
completely under valid permissions.

- Mark Miller seems to agree in "11.5 The Limits of Decentralized 
Access Control" that any single capability system must be confident of 
its topology.  The question I had concerning "routers needing to trust 
one another" he tackles from the other side, in pointing out that while 
it is possible for crypto to confirm that you are talking with Alice, 
it can't confirm that Alice is not also talking with Bob.[1]

-Dave

:: :: ::

[0] more accurately: "A promise", but I write here as a speed-demon, 
not a spook.

[1] how narrow can a covert channel be?  in principle, the window for a 
reliable protocol can be shrunk to a single bit.  in practice, I 
believe the last generation of Lego Mindstorms used just such a 
protocol.


More information about the FoRK mailing list