[Cryptography] Capability Systems (was Re: ORWL - The First Open Source, Physically Secure Computer)

Perry E. Metzger perry at piermont.com
Tue Aug 30 17:24:56 EDT 2016


On Mon, 29 Aug 2016 16:08:27 -0700 Bill Frantz
<frantz at pwpconsult.com> wrote:
> As a long time capability bigot, I can't resist this opening.

And you shouldn't resist it. :)

> Capability systems are a nearly perfect match for what the 
> Orange Book calls  "discretionary security". The authority 
> passed through a capability can be very tightly matched to the 
> needs of the operation. The, "Why does this cellphone flashlight 
> application need my address book and access to the net?" 
> situations can easily be avoided. For those not familiar with 
> capabilities, object invocations in languages such as Java and 
> Javascript are examples. In fact, there are capability 
> implementations in both languages.
[... lots more good stuff elided.]

Capability systems are an underused tool. I was very impressed a few
years ago by Robert Watson et al's "Capsicum" paper, which showed how
to graft a capability system on top of a POSIX style OS in a fairly
reasonable fashion.

https://www.usenix.org/legacy/event/sec10/tech/full_papers/Watson.pdf

(One of the co-authors on that is Ben Laurie who contributed earlier
in this thread.)

I hope these ideas get spread around. They're a critical tool for
security architecture. (And I hope to someday see Capsicum as part of
the mainline Linux kernel.)

Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list