capability security links

[Kragen Sitaker]

Norman Hardy's home page is a good place to start; he also has various
links to very deep CS research.
http://www.mediacity.com/~norm/

Capability stuff is at
http://www.mediacity.com/~norm/CapTheory/index.html

The Confused Deputy stuff is at
http://www.mediacity.com/~norm/CapTheory/ConfusedDeputyM.html
He links to a rant of mine which I think is probably a little half-baked.

What I have termed "strong capability systems" --- in which the capability
is a little piece of magic, not just a string of text --- are able to
provide interesting isolation properties within a closed system, and
generally form a very simple and flexible substrate on which one can build
any desired security policy, including things like role-based and
mandatory access controls, confinement and covert-channel control,
object immutability, and read-only access.

Web-wide strong capability systems are not possible, as far as I know; we
have to rely on weak capability systems.  I think.

There is a Distributed Trusted OS paper surveying a variety of operating
systems' security models; KeyKOS is one of them.  It is currently
available at
http://www.cs.utah.edu/flux/fluke/html/dtos/HTML/final-docs/mer.pdf.
The authors do not express great faith in the assurability of the KeyKOS
security system, so perhaps this may act as an antidote to my optimism :)

Of course, I should mention http://www.eros-os.org/.