[Cryptography] ORWL - The First Open Source, Physically Secure Computer
Bill Frantz
frantz at pwpconsult.com
Mon Aug 29 19:08:27 EDT 2016
On 8/29/16 at 2:42 PM, perry at piermont.com (Perry E. Metzger) wrote:
>Of course, BERI and CHERI are secure in a distinct sense -- they are
>implementations of a capability architecture on top of the more
>ordinary MIPS instruction set. They are not, however, formally
>verified designs, and in that sense, are no more or less likely to
>have bugs or back doors than any other soft core design.
>
>However, taking it as an entirely distinct topic from being able to
>trust that one's hardware isn't malicious, I will note that the
>BERI/CHERI design is a very interesting one, and I'm hoping this
>research helps capability architectures make a comeback.
As a long time capability bigot, I can't resist this opening.
Capability systems are a nearly perfect match for what the
Orange Book calls "discretionary security". The authority
passed through a capability can be very tightly matched to the
needs of the operation. The, "Why does this cellphone flashlight
application need my address book and access to the net?"
situations can easily be avoided. For those not familiar with
capabilities, object invocations in languages such as Java and
Javascript are examples. In fact, there are capability
implementations in both languages.
Discretionary security is sufficient to enforce the principle of
least authority (POLA). We need POLA because, as Alan Karp
recently said (not a direct quote), "I'm not smart enough to
keep the bad guys out. So I want to limit the damage they can do
when they get in." It helps to limit that damage if objects in
the system are protected at a fine grain. Individual objects or
files are good. Individual file systems less so. Capabilities
are excellent at supporting fine grain authority because with
one object, the capability, you both name the specific object to
use and demonstrate the authority to use it. If we were to try
object-level fine grain authority with access control lists,
administration would become a nightmere.
An orthogonal issue is assurance. Assurance is what Perry is
looking for when he wants to have the processor design formally
verified. The best systems will have both capabilities and
assurance, but either can be valuable with some level of
weakness in the other. Generally for assurance, the smaller the
system the better. Even without proof, an OS seems more likely
to be correct than a language based system, and hardware should
be better than an OS. However we can get a lot of useful
protection from language based capabilities even without the
level of assurance we would really like.
When people talk about "security" they generally mean "mandatory
security". Mandatory security can keep you from passing certain
things (data/objects/files etc.) to other objects in the system
even when you have access to both those things and those
objects. There have been a number of papers saying the
capability systems can not implement mandatory security and
therefor they can be secure. The problem with these papers is
that there are a number of published techniques for implementing
mandatory security in capability systems. These techniques use
the objects in the system, rather than low level system
primitives, so assurance for them is a form of program assurance.
One advantage of building mandatory security on top of
capabilities is that there is a first class story for how the
privilege of changing the mandatory controls is controlled, It
can even be made fine grain if necessary, which might make
administration easier.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"We used to quip that "password" is the most common
408-356-8506 | password. Now it's 'password1.' Who said
users haven't
www.pwpconsult.com | learned anything about security?" -- Bruce Schneier
More information about the cryptography
mailing list