45274e47b19e158b5d9f9bf2a946006afac09520 — Jakub Pastuszek 3 years ago 8fe3ef6
A content/security-mess/ACLs dont.pdf => content/security-mess/ACLs dont.pdf +0 -0
A content/security-mess/SRL2003-02.pdf => content/security-mess/SRL2003-02.pdf +0 -0
A content/security-mess/index.md => content/security-mess/index.md +23 -0
@@ 0,0 1,23 @@
After reading about object-capability systems and hearing from Christopher Webber, reading papers like


it is now apparent to me that ACL based systems are fundamentally flawed.

If we (as engineering community) based on paper for '71 (B. Lampson. Protection. Proceedings of the 5 th Annual Princeton Conference on Information Sciences and Systems, 1971, p. 437–443. ) historically went with CAPs instead of ACLs we would be in much better place today.

Security today is a complete mess and big part of the reason is that we still use ACLs as the basic building block.

Used in OSes makes security ineffective for Desktop computers. This allows single compromised process (e.g. e-mail client, browser) to let a "evil piece of shit" to exfiltrate all your document, encrypt then and blackmail you for ransom.
If our OSes were build like E or some other capability based systems from the ground up this would be much harder to do since most of your processes would not have access to any of your files.

# What can we do?

Put capability layer on top of OS by use of safe programming patterns.

For example I can imagine standard library for Rust to be implemented in such a way that operation with files requires some sort of capability to do so on top of the ACL based restrictions that OS does. This would not prevent ransomware attacks (since they run their own code) but would help to prevent confused deputy problem for processes that act on behalf of many subjects.

We need new OSes!

We can do caps in distributed software that we build like social networks, web etc.