> NH> I think that we agree that all sucessful capability systems "bottom
> NH> out" in capabilities as names.
>
> Hmm, how does that go together with, say, password capabilities? They
> consist of a UID and a password. The UID take by itself names an object.
>
> Or am I missing something?

A password capability system doesn't bottom out in the way that Norm
describes, because the operating system itself cannot be bootstrapped
without either (a) some set of available bootstrap password(s) or (b) some
other means to load code.

Jonathan

At 10:26 AM 2000-07-16 -0400, Jonathan S. Shapiro wrote:
>> NH> I think that we agree that all sucessful capability systems "bottom
>> NH> out" in capabilities as names.
>>
>> Hmm, how does that go together with, say, password capabilities? They
>> consist of a UID and a password. The UID take by itself names an object.
>>
>> Or am I missing something?
>
>A password capability system doesn't bottom out in the way that Norm
>describes, because the operating system itself cannot be bootstrapped
>without either (a) some set of available bootstrap password(s) or (b) some
>other means to load code.
>
>Jonathan
>

This relates to a perplexity occurring in the Grid Forum at present. The
open issue there could be described as to compare and contrast what
information about an individual person is served from a persistent
information service [likely LDAP] as compared with what information is
involved in the process where that individual demonstrates that their
requests for service from allied administrative domains should be honored.

As I see their scenario, the "system" that operates Grid Jobs doesn't
bottom out into one space of known or trusted identities. The sharing
trust-space doesn't go to the bottom. It is layered over multiple bottoms
that are not shared. In this situation, I see no way to unify the identity
that gets you trusted in a foreign domain with the name that unifies your
identities in all domains. That would require qualifying lots of people
into a universally trusted administrative domain and that probably won't
happen.

Actually, my naive view of how systems get bootstrapped is similar. Access
protection is not functioning until after some trusted kernel of code is
loaded. Then root defines a password and installs the control that makes
loading check with the authorizing function, and further loading requires
authorization. You can build access control into a boot ROM but the secret
this is built on is static. Once the access key is compromised, that
system is no longer trustable.

In the present scenario the system is not trustable until locked. In the
hardwired situation it is not trustable after compromise.

Let me get to my bottom line with capabilities and Grid Forum. I suspect
that the Grid Forum would resolve its perplexities better if it had looked
at the situation with the fresh eyes of a "capabilities perspective" first.
Not that they wouldn't use the existing security infrastructure in the
several administrative domains as the foundation in building a more unified
metaprogramming capability. But I can't explain the new perspective, and
the likelihood is that they would blow it off as "too theoretical and
exploratory" and hence off-topic. They are looking at minimal incremental
tweaks to the best current practice that will unify operations across the
allied domains. Rough consensus and running code is the religion. To
explain why they should care about this theory, it will take a proponent
better versed than I. The grid forum can be found starting at
www.gridforum.org. The issue I described above is actually up for grabs in
this community. Is there anyone versed in the 'capabilities' perspective
on security that would care to get engaged in this process?

Al

I have just read the notes at
http://www.mediacity.com/~norm/CapTheory/CapBits.html, and I have a few
comments on them.

I find the use of the terms "protected" and "unprotected" in the first
paragraph very confusing. I think that what is probably meant is
"partitioned" or "unpartitioned". I dislike the term "protected" because it
already has many other uses in the context of the capability discussion, and
I believe the that "partition" term captures the distinction that Norm is
trying to make. If not, I'ld be very interested to be corrected, and perhaps
the term I suggest below may be useful.

A password capability system need not keep the object identity bits in
cleartext. The password can apply to the entire capability. The fact that
the object bits were left in the clear in the Pose systems is, I think, a
flaw. It was probably motivated by a desire to simplify the memory
translation hardware, but in the context of modern processor design it's an
unnecessary simplification. Indeed, I recently had occasion to review that
paper in connection with examining a patent for prior art, and was very very
disappointed that the object bits were not protected.

There is a hybrid design that is possible, which is a cryptographic or
sparse capability system (bits exposed) in which the kernel must perform
some protection-domain-specific transformation in order to obtain the true
capability representation, such as applying a process-specific XOR late in
the game. I believe that we may consider designs of this form to be
partitioned, because the process never has access to the true representation
of the capability. This presumes that the XOR value is unknown to the
process, obviously.

Non-partitioned systems suffer from a total failure of confineability,
because it is impossible to determine whether the binary image has embedded
within it one or more capabilities that are unknown to the confinement
checker. A conservative approximation check can be done, but the cost is
probably prohibitive and the need to run this check has unfortunate
consequences for sharing of connected structures in transitive read only
form (i.e. you can no longer do so).

For the purpose of this objection, the E system does not suffer, because the
type system allows the checker to make the necessary determination.

For the purpose of this objection, a tagged memory system may or may not be
partitioned. The issue is once again the shared transitive read only
struture problem.

Indeed, as I wrote the above, it occurred to me that we have a failure of
specification. In EROS/KeyKOS, there are two simultaneous problems being
solved, and each has implications for choice of capability protection
strategy. The first might perhaps be called the "referential encapsulation
property", by which I mean that the process cannot generate bits that will
later be interpreted as a capability [I ignore number capabilities, and we
must someday think them through]. The second is transitive read-only
shareability, or what KeyKOS calls "sensory access". This is somewhat
generalized in EROS, and is further complicated by metadata indirection. A
reasonable treatment is given in the Diminish Take chapter of my
dissertation (archival paper real soon now, I promise!).

Norm has been focused on the referenctial encapsulation property, but there
is enormous leverage in the sensory access idea as well. Sensory access is
certainly not necessary, but if you remove it, you must enforce deep copy at
process instantiation. Deep copy is expensive, but worse than that it
requires a widely held means by which to compare two capabilities for
identity of their underlying representation object in order to preserve
object identity during the deep copy. That is *frought* with unfortunate
implications.

Ultimately, the most basic difficulty with password and cryptographic
capabilities is that there is no way to determine when all capabilities to
an object are gone. In EROS/KeyKOS we have not implemented GC, but I am
prepared to believe that it will prove desirable to do so in time. I even
think I can see how to avoid the covert channel issues implied by the
presence of GC. The reason to want GC is mostly for lost space recovery.
Programs do err in explicit storage management, and it is desirable to be
able to address this problem. In a "user bits are capabilities" style of
system, collection is possible but only if done conservatively, and only at
the cost of a much more complete scan of the disk (all sectors must be
examined) This strikes me as problematic.

At 13:58 -0400 00/07/16, Jonathan S. Shapiro wrote:
>I have just read the notes at
>http://www.mediacity.com/~norm/CapTheory/CapBits.html, and I have a few
>comments on them.
>
>I find the use of the terms "protected" and "unprotected" in the first
>paragraph very confusing. I think that what is probably meant is
>"partitioned" or "unpartitioned". I dislike the term "protected" because it
>already has many other uses in the context of the capability discussion, and
>I believe the that "partition" term captures the distinction that Norm is
>trying to make. If not, I'ld be very interested to be corrected, and perhaps
>the term I suggest below may be useful.
>

I have used "segrated" much as you use "partitioned". I was confused by
"partitioned" in recent mail. I shall try to speak of hiding or protecting
the bits of the capability instead of the capability itself. Yet I need an
adjective to modify "capability" that means its bits are hidden! There is
too much good text devoted to that plan.

There is yet another difference lurking here. IBM's System 38 devoted a
hardware bit in memory for each 16 memory bits to mark a location as
holding part of a capability. Capabilities were 64 bits long and allocated
admidst other user data but "hidden" by the extra bit so as to make the
bits therein unreadable and unmodifiable by "user code". The System 38 was
not the first to protect capabilities admist user data but it may have been
the last. AS/400 is in some sense a descendent of the System 38. The 38
provided a language called "MI" (Machine Interface) that, like Java byte
codes, was translated before execution. The translator was trusted but not
enough to dispense with the hardware to protect the capability bits.

Perhaps the bits of the System 38 capability are protected but neither
segregated nor partitioned. I agree that the page you cite is confusing. I
have spent the afternoon rewriting the page above. I am not done.
Norman Hardy <http://www.mediacity.com/~norm>

> I am unclear about the meaning of "The password can apply to the entire
> capability.". I presume that by "password capability system" you mean one
> where all the bits are visible to the program, be they UIDs or "secret
pass
> phrase".

I meant that the object identity need not be kept in the clear. The password
(or secret key) can protect both the object identity and the permissions
bits.

> Trying to reconstruct the Monash magic years later it occurred to me that
a
> program confined by the XOR trick would be likely to have the same
> capability C in the form C and also C xor S. This would reveal likely
> candidates for S, the confining secret.
> Is the Monash magic online somewhere that you know of?

Only the Pose paper. However, note that the value C xor S is never present
in application memory in that design. Therefore, I believe this is not a
problem.

shap

At 15:51 -0400 00/07/17, Jonathan S. Shapiro wrote:
>> I am unclear about the meaning of "The password can apply to the entire
>> capability.". I presume that by "password capability system" you mean one
>> where all the bits are visible to the program, be they UIDs or "secret
>pass
>> phrase".
>
>I meant that the object identity need not be kept in the clear. The password
>(or secret key) can protect both the object identity and the permissions
>bits.
>
>> Trying to reconstruct the Monash magic years later it occurred to me that
>a
>> program confined by the XOR trick would be likely to have the same
>> capability C in the form C and also C xor S. This would reveal likely
>> candidates for S, the confining secret.
>> Is the Monash magic online somewhere that you know of?
>
>Only the Pose paper. However, note that the value C xor S is never present
>in application memory in that design. Therefore, I believe this is not a
>problem.
>
>shap

I suspect that you are more recent on that technology than I. I had thought
that all bits of capabilities were kept in application memory and that the
applications ignorance of S was the sole method of confinement. One
possible rule might be that for any particular capability C, it was not the
case that both C and CxorS were accessible to the capability.
Norman Hardy <http://www.mediacity.com/~norm>

> We believe that Mungi (http://mungi.org/) can do confinement (although
> we haven't done a formal proof -- I'm waiting for a student to do the
> work ;-).

Gernot, all:

My recollection from talks with Jerry Vochteloo is that mungi uses a
per-process or per-system XOR value (I don't recall which, but it doesn't
matter).

If this is correct, or a similar unforgeable transformation is used, then
Mungi can definitely do confinement subject to the assumption that the
inverse transform is unguessable. If so, then you don't actually need to do
a proof of confinement. You merely need to do an equivalence proof between
XOR application and capability/data partitioning. If you can do that then
you fall under the SW model proof.

The proof sketch I have in mind is:

1. Observe that the true capabilities are the post-XOR capabilities, which
are all partitioned. The pre-XOR capabilities are completely irrelevant.

2. Show that the XOR test operation has the effect of enforcing the
partition between capabilities and data, again subject to the unguessability
constraint.

3. Observe that if this partition exists then there is a direct equivalence
between the Mungi protection model and the SW model published in the latest
IEEE security symposium at http://www.eros-os.org/papers/oakland2000.ps ).
In point of fact, the SW proof only requires that users cannot invoke
capabilities as data. It is not compromised if the user can observe the
capability bits.

As far as Sam and I know, the SW model covers all capability systems
(including Mungi) that *can* enforce confinement, and excludes all the ones
that cannot.

Mungi definitely can do confinement.

I'll expect a citation of the SW paper in your publication :-)

While I'm thinking about it, would you consider adding an EROS link to your
related systems list? EROS has some of the feel of a single address space
system, and we've all certainly exchanged a bunch of ideas back and forth.


shap

At 07:55 PM 7/16/00 , Jonathan S. Shapiro wrote:
>As far as Sam and I know, the SW model covers all capability systems
>(including Mungi) that *can* enforce confinement, and excludes all the ones
>that cannot.

E can do confinement without relying on dynamic kernel-weakening of
primitive capabilities. Rather, E uses observable pure immutability,
corresponding to stage #2 of
http://www.erights.org/elib/capability/factory.html . As a result, E's
confinement has the costs documented at that URL.

The mechanisms of the SW model seem to apply starting at stage #3. As a
result, EROS's and KeyKOS's confinement is more flexible -- more kinds of
useful services can be observably confined. But would you say the SW model
covers E? Would you claim that E's confinement isn't really "confinement"
as you define it? If no and yes, then E is a counterexample to your above
claim.


Cheers,
--MarkM

> Are you sure? I don't have the S/38 papers handy (working from home
> today) but I seem to remember that it was actually possible for
> unprivileged code to copy a cap, but the hardware would turn of the
> capability bit then, converting it to simple data.
>
> Gernot

I believe this is so also. I have the AS/400 Principles of Operations, but
regrettably my copy is in a box somewhere. If someone can remind me in two
weeks about this I'll gladly check on it.


shap

At 18:46 -0400 00/07/17, Jonathan S. Shapiro wrote:
>> Are you sure? I don't have the S/38 papers handy (working from home
>> today) but I seem to remember that it was actually possible for
>> unprivileged code to copy a cap, but the hardware would turn of the
>> capability bit then, converting it to simple data.
>>
>> Gernot
>
>I believe this is so also. I have the AS/400 Principles of Operations, but
>regrettably my copy is in a box somewhere. If someone can remind me in two
>weeks about this I'll gladly check on it.
>
>
>shap

Me too. I think that there were memory to memory operations, but it was
some how enforced that capabilities among the data were copied all or none.
It would be impossible to program the copy with a load-store loop as that
would require knowing which you were about to move.

It is hassles like this which sour me on intersperssed abstracted
capabilities. Doing I/O was a bitch. I heard rumors of a modified 64 bit
PowerPC that was cognizant of the capability tags. I have never seen
details.

The Plessey 250 segregated data and capabilities into different memory
segments and had segregated data and capability registers.
Norman Hardy <http://www.mediacity.com/~norm>