From: "Jonathan S. Shapiro" <>
Replying To: Norman Hardy <>
Date: Thu, 12 Dec 2002 10:04:58 -0500
Subject: Re: [e-lang] Modelling Blindness (was: "Capability Myths Demolished" (was: Software security workshop))

On Thu, 2002-12-12 at 02:19, Norman Hardy wrote:
> Let me try to say something with minimal jargon.
> There are interesting things that you can prove about capability 
> systems that entirely ignore the nature of the code that is subject 
> to capability discipline (user code).
> Many capability arguments indeed ignore the nature of user code.
> In such cases it is appropriate to view capabilities as undesignated 
> and undifferentiated (ambient?).
> When you want to prove system properties that depend on the 
> correctness of some user code, then it is generally necessary to 
> consider how that code explicitly names the authority that it 
> invokes, lest the deputy be unable to express its intent.
> Many in the military security community are unaware of arguments of 
> the second form.

This is very well said. 

It's not that people in the military security community are unaware of
the second type of argument.  It is rather that they want to base their
security on minimal assumptions. In particular, they want their security
to work when code is hostile, so their assumption is that most code does
bad things. They then review selectively those small pieces of code that
actually enforce the trust relationships of the system.


e-lang mailing list