From: "Jonathan S. Shapiro" <>
Replying To: Ka-Ping Yee <>
Date: Sun, 01 Dec 2002 11:47:16 -0500
Subject: Re: [e-lang] Commentary on Wallach's "Extensible Security Architectures for Java"

On Fri, 2002-11-29 at 18:31, Ka-Ping Yee wrote:
> My comments on the paper are at:
> Upon looking back at it i think to myself, "Oh my!  Those comments
> were pretty harshly worded."  But perhaps you will find it interesting.

While I love Ping's enthusiasm, several key statements on that web page
are more enthusiastic than accurate. Some observations. 

I'm struck by the possibility from Ping's comments that he misread the
statement quoted in his opening comment.  They didn't say that "security
needs a notion of principals". They said that "*Java* needs a notion of

Two comments on this point: 

1. The statement, as written, is true. It is a diagnosis of a
fundamental security flaw in Java.  The problem is that the authors don't
understand this.

2. The problem with the sentence was actually a grammar problem.  The
word "principle" was clearly misspelled, and the word "needs" should
perhaps have been replaced with "lacks" to reduce the likelihood of
reader misunderstandings. :-)

The comments concerning section 4.3 are off-target. 

Ping writes: "communicating conspirators cannot be prevented from
delgating authority in any system." This is not strictly true.  If
communication occurs over a typed channel, and if authorities are a
distinguishable type from data, then communicating conspirators *can* be
prevented from transmitting authorities. In particular, an EROS-style
system can mediate communications in such a way as to prevent the
transmission of capabilities while permitting data to be transferred.
This is in fact critical, as it is the basis of the KeySAFE multilevel
security implementation and various other kinds of protections. A
further, more interesting example, is the idea of "weak" authority, in
which the type system allows capability authority to be reduced in ways
that have security significance. markm

Though they wrote sloppily, I believe that the authors of the paper were
referring to the problem of *selective* revocation,  which is not at all
easy. It was the subject of David Redell's dissertation, which
identified several problems that remain unresolved today. While I
believe (and based on a conversation I had with him, I think that David
now believes) that all of these problems are resolvable, the solutions
have not been concisely collected in one place.

The closing paragraph is not entirely accurate. It is true that a hybrid
system is more complex, and it seems likely that it is unnecessary.  That
said, the complexity in question is orthogonal complexity, and there is
no difficulty whatsoever in modeling the security properties of the
resulting system. This is because all of those properties turn out to
derive from the capability portion of the hybrid, and the additional
restrictions imposed by ACLs merely serve to reduce the expressive and
computational power of the system and ruin its computational semantics.

Speaking for myself, I would argue that the paper has a more fundamental
flaw.  Mathematically, the paper appears basically correct, but its
conclusion has almost nothing to do with the math, and is therefore
badly flawed. What the math says is that given an ACL system and a
capability system with *identical* operations and *identical*
authorities, one can show that any state in one can be expressed as a
state in the other. markm zooko

In practice,  there are two problems with this: the mathematics does not
adequately consider protection state evolution and protection state
reachability. In order to argue that one system is more powerful than
the other, one would need to argue first that common states exist, and
second that the transitively reachable states reachable in one system by
proceeding from that common state are a subset (or otherwise
demonstrably weaker) than those of the other. The paper didn't do this.

However, there is a bigger problem.  In reality, there exist no
capability systems with an "own" right and conversely no ACL systems
without one. Similarly for other rights. The operations likewise differ
because they arise in the designs as a function of the respective access
rights and the desire to achieve (and prevent) certain types of graph
transformations in order to permit (prevent) certain types of graph

In consequence,  what the math of the paper says is "There exist
mathematically imaginable systems in which the same access rights and
operations are implemented using both a capability and an ACL framework.
In such hypothetical systems, a certain kind of equivalence between the
two can be shown." This is a far cry from what the conclusion of the
paper asserts...


e-lang mailing list