Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

From: Tyler Close <tyler@waterken.com> · Date: Tue, 3 Dec 2002 21:30:38 -0400

On Tuesday 03 December 2002 18:49, David Wagner wrote:
> Tyler Close  wrote:
> >The main point of confusion is the belief that Lampson's access
> >matrix models both the ACL and capability systems. This is plainly
> >false to anyone who understands capabilities and how a C-list is
> >used. In the "Protection" paper, Lampson clearly demonstrates a
> >misunderstanding of the C-list mechanism.
>
> Is it a misunderstanding?  Or is this just a disagreement over the
> definitions of the words?

It is a misunderstanding. In the "Protection" paper, Lampson uses
the term "C-list" to refer to something that is *not* a C-list. 
The C-list mechanism was defined and implemented long before
Lampson's paper. Lampson simply failed to understand it.

> There are two kinds of mechanisms that might have claim to the name
> capabilities:
>   Lampson-style capabilities: What you call a C-list.
>   E-style capabilities: Things that combine both authorization
>     and designation.

I am *not* calling the Lampson mechanism a C-list. Lampson is. I
am saying that the Lampson mechansim is *not* a C-list.   The term
"C-list" identifies a mechanism that predates the Lampson paper. A
C-list is used to implement capabilities that have the same
properties as "E-style capabilities". There is nothing new or
different about the security properties that E capabilities
provide. A capability has always been a combination of
authorization and designation. markm

> I suspect you would like to reserve the term "capabilities" for E-style
> capabilities only.  I, however, was taught that the word "capabilities"
> encompasses both styles (or that it refers to Lampson's notion).  I think
> this is also the way the term is used in the majority of the computer
> security community.

It is amazing the amount of damage that one confused scientist can
cause.  Lampson did not understand the C-list mechanism and most
everyone, for 30 years, has learned from Lampson. It is an
astonishing trajedy.

> One could have a battle royale over who gets to choose the definition of
> the word "capability".  However, I'm not sure that this is productive.
> I suspect it's too late to change what most people think of when they
> think of the word "capabilities".

There are a number of operating systems, predating the Lampson
paper, that implemented capabilities.  One confused scientist comes
along and misuses the term in a paper and suddenly all the
previous actual work has no meaning? Surely, this can't be what
you are suggesting. Lampson was confused. Must we now all share in
his confusion forever?

> Therefore, my conclusion is that it would be more effective to pick a new
> term for E-style capabilities, and then focus on arguing the advantages
> of E-style capabilities.

As MarkM has often and pointedly said, there is nothing new about
the security principles behind E.  They come from a long line of
prior work. It does not make sense to surrender this history to a
bad paper.

> (Yes, I know it probably pains you to give up the word "capabilities".
> It also pains me that the word "hackers" has come to refer to criminals,
> not to clever folks who thought out of the box.  Nonetheless, that battle
> has already been lost, and I just have to live with it and move on.)

There's more than just a word at stake here.  There's a large body
of excellent work and 30 years of damaging misinformation to
correct. I don't see how you can preserve the history without
preserving the word.

Tyler 
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang