I will be traveling and otherwise busy from now through the first week in
January. The following message proposes a significant expansion in the scope
of the discussion, which I won't be able to participate in till 1/8 or so.
Post by David Wagner
MarkM has been looking around for security challenge problems.
I've got one to add to the list. I've been having an email
conversation with David Mazieres about the HiStar system, and he
raised an interesting problem that I think fits the bill.
Rather than try to guess the nature of the challenge, please invite David and
the other HiStar and Asbestos folks to cap-talk. They are clearly doing very
but if you like to read pdfs online, rather than follow the link to their
paper on that page,
seems identical, except that all the internal LaTeX references became live pdf
HiStar derives from Asbestos
whose main paper
Post by David Wagner
In theory, capabilities alone suffice to implement mandatory access
control. For instance, KeyKOS  achieved military-grade
security by isolating processes into compartments and interposing
reference monitors to control use of capabilities across compartment
boundaries. EROS  later successfully realized the
principles behind KeyKOS on modern hardware. Psychologically,
however, people have not accepted pure capability-based confinement
, perhaps from fear that if just one inappropriate capability
escapes, the security of the whole system may be compromised.
As a result, a number of designs have combined capabilities with
authority checks , interposition , or even labels .
 Key Logic. The KeyKOS/KeySAFE System Design, March 1989.
A fast capability system. In Proc. 17th ACM Symposium on Operating
Systems Principles, pp. 170–185, Kiawah Island, SC, December
 Mark S. Miller, Ka-Ping Yee, and Jonathan Shapiro. Capability
myths demolished. Technical Report SRL2003-02, Johns Hopkins
University Systems Research Laboratory, 2003.
 Viktors Berstis. Security and protection of data in the IBM System/
38. In Proc. 7th Annual Symposium on Computer Architecture
(ISCA ’80), pp. 245–252, May 1980.
 Paul A. Karger. Limiting the damage potential of discretionary
Trojan horses. In Proc. 1987 IEEE Symposium on Security and
Privacy, pp. 32–37, Oakland, CA, April 1987.
 Paul A. Karger and Andrew J. Herbert. An augmented capability
architecture to support lattice security and traceability of access.
In Proc. 1984 IEEE Symposium on Security and Privacy, pp. 2–
12, Oakland, CA, April 1984.
Without further text, this would seem to admit that the rest of the paper is a
marketing exercise, since it would seem the only shortfall of the pure cap
solution is a psychologically-based illusion. Unfortunately, this paper never
revisits the issue, so it's not clear what one should actually conclude.
In any case, they go on to show that their label system is efficient, and give
evidence that it's expressive. So perhaps we could also derive the following
additional challenges from this paper:
* Efficiency aside, can we model Asbestos/HiStar labels in a pure cap world
* What sensible security policies, if any, does their label system allow them
to express naturally that are difficult to express with pure caps? This could
include a clarified statement of the virus-scanning challenge.
(I propose that a "sensible" policy must be one that can successfully enforce
constraints on authority, not just permissions, and do so assuming that side
channels can be plugged but outward covert channels cannot. By "enforce", I
mean prevent, not just impose a speed bump or meet a legally mandated but
meaningless demand. We can of course also argue about the definition of
sensible. And I do think we should argue about whether "information flow" per
se is a sensible concern.)
* Of these sensible policies, can we derive reusable cap-based libraries, such
that these policies can be easily expressed in a pure cap system using these
* Finally, for the OS-guys, if such reusable abstractions are indeed helpful
for actual well-motivated cases, what functionality, if any, needs to be
migrated into the kernel to make these practically efficient? How might such
mechanisms relate to our own recent concerns for making some membrane patterns
Text by me above is hereby placed in the public domain