Monday, January 4, 2010

Capabilities, still out on the fringe, and misunderstood

I recently posted a comment on the Slashdot story You won't recognize the internet in 2020, which said:

It's not the Internet switching fabric that is the problem, it's the end nodes. None of our PCs is provably secure. It's highly likely it won't be by 2020 either, as it appears the money is going into the wrong places in research. Capability Based Security has been around since the 1980s, and yet it's not even being funded to try to get it ready for widespread use by 2020.

Until the ends of the internet are secure, it's not going to be secure. It almost seems the money is always being spent in places where it won't really help the end user, but will allow more control by the authorities. (Or maybe I'm just a bit paranoid?)

Well, there is some hope because it did get moderated up to a +5 in short order. However one of the comments to my comment shows there is work to do in raising awareness of the benefits of capabilities:

Capability Based Security hinges on the operating system being inviolate. The problem is programmable computers by their very nature offer the opportunity to reprogram the whole system. This is not a bad thing, because it allows the same device to be used in various different ways (Linux, Windows, OSX etc) - diving deeper, it allows more efficient software (patches) to be added to the system by anyone with the desire to accomplish some task, or make the system run more efficiently.

With a capability based security system in place, OSs would collapse into one 'approved' version - and the general purpose nature of the computer would be lost (a game console would be the current model for such a system I would think).

I addressed this with a followup:

Actually, it's not the whole system that has to be inviolate, just the kernel. There are projects to produce a provable L4 microkernel, for example. This would allow the user to have a machine that they could then trust to only give away resources they chose.

Don't confuse a locked down kernel with a locked down computer. With the current OS selections you have, it's not possible to make a distiction, but it doesn't have to be this way. The problem boils down to the default permissive environment that we're all used to thinking and modeling our systems on top of. Capability based systems are a default deny environment, but you are free to give away as much as you want to a program of your choice.

So... there is some awareness, and cause for hope, but much work remains.

1 comment:

Tony Finch said...

Capabilities are older than the 1980s: The Cambridge CAP project on capability-based virtual memory protection lasted from 1970-1977.