Manage episode 281503210 series 2772581
Chris and Morgan, driving in the Covid-19 pandemic, reflect on lessons of hygiene and a separation of concerns from the past (seen through the retroactively surprising struggle for handwashing acceptance) while analyzing how to bring safety to today's computing security pandemic via object capability discipline.
As said in the episode, there's a lot of research and evidence for the object capability security approach! Please do scour the links below (with significant commentary attached).
Ignaz Semmelweis and two excellent podcast episodes with more:
The mailing list post by Chris that prompted this episode (largely the same stuff, a bit more particular to the targeted audience): Hygiene for a computing pandemic: separation of VCs and ocaps/zcaps
POLA Would Have Prevented the Event-Stream Incident, by Kate Sills. Examines how malicious code inserted into a library designed to steal programmers' private information/keys/money could have been prevented with capability-based security.
An interview with Kate Sills about object capabilities; contains some of the same information presented in this episode, but with more focus on the basic concepts.
A Security Kernel based on the Lambda Calculus explains how these concepts apply to programming language design (using a limited subset of the Scheme programming language).
Ka-Ping Yee's PhD dissertation, Building Reliable Voting Machine Software, demonstrates the difficulty of finding intentionally obscured security vulnerabilities through code review (see "How was PVote's security evaluated?"). This demonstrates that FOSS is necessary but insufficient on its own for security.
A backdoor which was inserted into the official Linux kernel source code (and actually distributed on the official CVS server, briefly!) all the way back in 2003. Note that the vulnerability was initially discovered not through code review, but through discovering a server intrusion. The code is well obfuscated in a way that might be difficult to observe through visual inspection of a significant body of code.
The zcap-ld spec has a subsection on how to safely and hygienically bridge the worlds of identity/claims/credentials with authority/ocaps. (Note some bias here: Chris co-authored this spec with Mark Miller.) It also has some other useful subsections: Capabilities are Safer contrasts with ACLs, and ZCAP-LD by Example shows how capabilities can be constructed on top of certificate chains (an approach not even mentioned in the episode... but yes, you can do it!)
So why are ACLs / an identity-oriented approach so bad anyway? ACLs Don't explains the problems caused by an identity-oriented authority model:
Ambient authority, ie "programs running with too much authority"... think about the "solitaire running 'as you'" part of the podcast (and contrast with the POLA/ocap solution also explained in-episode)
The Browser is a very Confused Deputy is an excellent and fun video introduction.
An example of a confused deputy attack against the Guile programming environment (which Chris helped uncover): Guile security vulnerability w/ listening on localhost + port (with fix). Note the way that both the browser and the guile programming environment appear to be "correctly behaving according to specification" when looked at individually!
Another way to put it is that identity-oriented security approaches are also generally perimeter-based security approaches and (I'm paraphrasing Marc Stiegler here): "Perimeter security is eggshell security... it seems pretty tough when you tap on it, but poke one hole through and you can suck out the whole yolk."
Capabilities: Effects for Free shows nicely how capabilities can also be combined with a type system to prove constraints on what a particular subset of code can do.
What we haven't talked about as much yet is all the cool things that ocaps enable. A great paper on this is Capability-based Financial Instruments (aka "Ode to the Granovetter Diagram", or "The Ode"), which shows how, using the E distributed programming language, distributed financial tooling can be built out of a shockingly small amount of code. (All of this stuff written about a decade before blockchains hit the mainstream!)
You might need to know a bit more E syntax to read The Ode; Marc Stiegler's E in a Walnut is an incredible resource, and has many insights of its own... but it's a bit more coconut-sized than walnut-sized, in my view.
An enormous amount of interesting information and papers about object capability security on the E Wiki's Documentation page page (snapshot). Honestly you could just spend a few months reading all that.
But maybe you're worrying, is it possible to build secure UIs on top of this? Not One Click for Security does a lovely job showing how ocap principles can actually result in a more intuitive flow if done correctly... one smooth enough that users might wonder, "where's the security?" Surprise! It was just smoothly baked into the natural flow of the application, which is why you didn't notice it!
And if you really want to spend a lot of time getting into the weeds of how to design ocap systems, maybe look at Mark S. Miller's PhD dissertation, Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Chris is pretty sure they're the only one with an autographed copy sitting on their desk.
Finally, have we mentioned that Chris's work on Spritely is pretty much entirely based on extending the federated social web based on ocap security principles?