Subject: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

From: David Wagner <daw@cs.berkeley.edu> · Date: Fri, 6 Dec 2002 16:41:01 -0800 (PST)

Tyler Close  wrote:
>I think I could have done a better job of drawing the link between
>your last email and my thoughts on it. I believe I understand the
>point you are making. I just have some problems with it. It's
>tricky to nod your head using email.

Thanks for the encouragement.  By the way, I'm definitely not
giving up on the conversation. 

>Over the course of this email discussion, I've made a case that
>Lampson's "Protection" paper created an erroneous view of
>capabilities.  Some others have explicitly agreed with this case
>and asked that I write a paper. I have agreed to do so.

Fantastic!  I look forward to the result.  Let me know if I can
help by commenting on drafts or somesuch. 

>As MarcS has pointed out, Butler Lampson has a god-like position
>within the security community.

Maybe so, but speaking personally, when it comes to science,
I prefer to avoid putting too much faith in god-figures.   Sacred
cows make the tastiest hamburgers. :-) shap

>I do not believe that it is only random chance that has created
>this 30 year gap. All the information is just sitting there,
>staring us in the face. I do not have any kind of special access
>to information. I wasn't even alive when this stuff happened.
>There is a reason why no one else has written a paper yet.

This may be true,  but I also know that I struggled for a while
before I was able to grasp the key insights of the capability
community.  Probably this is partially because I'm slow to wrap
my head around new ideas, but I suspect I was also slowed down
by several issues:

  - the ideas are spread across many papers; 

  - many papers  (mostly the older ones) failed to clearly
    separate the key insights from the unimportant implementation
    details;

  - the capability community has a jargon of its own that took
    me a while to pick up  (I could give dozens of examples); frantz

  - some of the documents arguing in favor of capabilities didn't
    clearly separate the most important advantages of capabilities 
    (i.e., no ambient authority; ease of building security perimeters)
    from issues I considered secondary (e.g., covert channels).
    As a result, it was easy for me to get distracted by the weak
    points in the secondary arguments, despite the strength of the
    main arguments.

All in all, I'm not sure I would have picked up the key ideas of
this community without the personal nudging,  one-on-one explanations,
and patience of people like Mark Miller and others here.
One-on-one interactions are great, but they don't scale, which
is why I wish there was a good paper to pass on the word to others,
as much as possible. shap

>As you've said, in actions and in words, you are friendly to the
>capability view. If I am unable to get even you to drop the
>hypotheticals and agree that Lampson was in error, then it would
>seem I have an impossible task.

I guess I'm being careful in my wording for two separate reasons: 

  - on the history issues,  I'm hedging with hypotheticals
    because I simply don't know the history and hence don't
    feel qualified to judge one way or the other;

  - on the issue of whether  (E-style) capabilities are the
    "right way" to build systems for security, I think this
    hypothesis is plausible but not yet entirely proven, and
    I'm hedging because I suspect it would help me to see more
    evidence before I can fully evaluate this hypothesis.

>All I am looking for is an evaluation on the evidence presented to
>date. What part of the evidence do you find lacking? What issues
>make you want to retain the hypotheticals?

Well, I guess I see two separate gaps in the current literature: 

  - presentation: It would help to have a paper laying
    out the case for capabilities.  What are the advantages, etc.? 

  - further experimental evidence: I think some of the claims
    of, say, E can only be proven through implementation experience. 
    For instance, it might help to see, say, Sendmail or BIND
    re-implemented in E to do a proper comparison.

The former is all about writing down what's currently known,
about distilling the essence of the ideas,  and about persuasive
writing; the latter is all about extending our knowledge and
about implementation and further research.

I've been deliberately sparse on details about these two categories
because I'm not sure which you're asking about.   I do have some
thoughts on both categories, so let me know if you'd like me to
elaborate at all.

>I would like to address the other content in your last message;
>however, I think I'll wait a bit to see if you can be drawn back
>into the conversation.

Shoot away!  I didn't mean to withdraw from the entire conversation. 

I *do* mean to withdraw from arguments about what is the right pair
of words to use for "E-style capabilities" vs. "Lampson-style capabilities". 
I just wish I had some pair of words, but I don't care which words
they are.  I have no stake in the naming battle, so I plan to watch
that one from the sidelines.  I'd gladly use anything the capabilities
community comes to consensus on.
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang