20: Hygiene for a computing pandemic

<p>Chris and Morgan, driving in the Covid-19 pandemic, reflect on lessons of hygiene and a separation of concerns from the past (seen through the retroactively surprising struggle for handwashing acceptance) while analyzing how to bring safety to today's computing security pandemic via object capability discipline.</p><p>As said in the episode, there's a lot of research and evidence for the object capability security approach! Please do scour the links below (with significant commentary attached).</p><p><strong>Links:</strong></p><ul><li><p><a href="https://en.wikipedia.org/wiki/Ignaz_Semmelweis">Ignaz Semmelweis</a> and two excellent podcast episodes with more:</p><ul><li><p><a href="https://www.iheart.com/podcast/stuff-you-missed-in-history-cl-21124503/episode/ignaz-semmelweis-and-the-war-on-29118226/">Ignaz Semmelweis and the War on Handwashing</a> on <a href="https://www.iheart.com/podcast/stuff-you-missed-in-history-cl-21124503/">Stuff You Missed in History Class</a></p></li><li><p><a href="https://maximumfun.org/episodes/sawbones/sawbones-ignaz-semmelweis/">The fascinating, inspiring, and infurating story of Ignaz Semmelweis</a> on <a href="https://maximumfun.org/episodes/sawbones/sawbones-ignaz-semmelweis/">Sawbones</a></p></li></ul></li><li><p>The mailing list post by Chris that prompted this episode (largely the same stuff, a bit more particular to the targeted audience): <a href="https://lists.w3.org/Archives/Public/public-credentials/2020Dec/0028.html">Hygiene for a computing pandemic: separation of VCs and ocaps/zcaps</a></p></li><li><p><a href="https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99">POLA Would Have Prevented the Event-Stream Incident</a>, by Kate Sills. Examines how malicious code inserted into a library designed to steal programmers' private information/keys/money could have been prevented with capability-based security.</p></li><li><p><a href="https://librelounge.org/episodes/episode-13-object-capabilities-with-kate-sills.html">An interview with Kate Sills about object capabilities</a>; contains some of the same information presented in this episode, but with more focus on the basic concepts.</p></li><li><p><a href="https://lists.w3.org/Archives/Public/public-credentials/2020Dec/0028.html">A Security Kernel based on the Lambda Calculus</a> explains how these concepts apply to programming language design (using a limited subset of the Scheme programming language).</p></li><li><p>Ka-Ping Yee's PhD dissertation, <a href="https://web.archive.org/web/20200702023836/http://zesty.ca/pubs/yee-phd.pdf">Building Reliable Voting Machine Software</a>, demonstrates the difficulty of finding intentionally obscured security vulnerabilities through code review (see &quot;How was PVote's security evaluated?&quot;). This demonstrates that FOSS is <em>necessary but insufficient on its own</em> for security.</p></li><li><p>A <a href="https://lwn.net/Articles/57135/">backdoor which was inserted into the official Linux kernel source code</a> (and actually distributed on the official CVS server, briefly!) all the way back in 2003. Note that the vulnerability was initially discovered not through code review, but through discovering a server intrusion. The code is well obfuscated in a way that might be difficult to observe through visual inspection of a significant body of code.</p></li><li><p>The <a href="https://w3c-ccg.github.io/zcap-ld/">zcap-ld spec</a> has a subsection on <a href="https://w3c-ccg.github.io/zcap-ld/#relationship-to-vc">how to safely and hygienically bridge the worlds of identity/claims/credentials with authority/ocaps</a>. (Note some bias here: Chris co-authored this spec with Mark Miller.) It also has some other useful subsections: <a href="https://w3c-ccg.github.io/zcap-ld/#capabilities-are-safer">Capabilities are Safer</a> contrasts with ACLs, and <a href="https://w3c-ccg.github.io/zcap-ld/#zcap-by-example">ZCAP-LD by Example</a> shows how capabilities can be constructed on top of certificate chains (an approach not even mentioned in the episode... but yes, you can do it!)</p></li><li><p>So why are ACLs / an identity-oriented approach so bad anyway? <a href="http://waterken.sourceforge.net/aclsdont/current.pdf">ACLs Don't</a> explains the problems caused by an identity-oriented authority model:</p><ul><li><p><a href="https://en.wikipedia.org/wiki/Ambient_authority">Ambient authority</a>, ie &quot;programs running with too much authority&quot;... think about the &quot;solitaire running 'as you'&quot; part of the podcast (and contrast with the POLA/ocap solution also explained in-episode)</p></li><li><p><a href="https://en.wikipedia.org/wiki/Confused_deputy_problem">Confused deputies</a>, which are notoriously kind of hard to describe... Norm Hardy provides a <a href="http://www.cap-lore.com/CapTheory/CD.html">capsule summary</a> which is fairly good. But also:</p><ul><li><p><a href="https://www.youtube.com/watch?v=Yfsmc0b8o78">The Browser is a very Confused Deputy</a> is an excellent and fun video introduction.</p></li><li><p>Norm Hardy's original <a href="http://www.cap-lore.com/CapTheory/ConfusedDeputy.html">Confused Deputy paper</a> is still worth reading, and there is <a href="http://www.cap-lore.com/CapTheory/ConfusedDeputyM.html">more to read here</a></p></li><li><p>An example of a confused deputy attack against the Guile programming environment (which Chris helped uncover): <a href="https://lists.gnu.org/archive/html/guile-user/2016-10/msg00007.html">Guile security vulnerability w/ listening on localhost + port (with fix)</a>. Note the way that both the browser and the guile programming environment appear to be &quot;correctly behaving according to specification&quot; when looked at individually!</p></li><li><p>Another way to put it is that identity-oriented security approaches are also generally <em>perimeter-based</em> security approaches and (I'm <a href="http://www.skyhunter.com/marcs/ewalnut.html#SEC44">paraphrasing Marc Stiegler here</a>): &quot;Perimeter security is eggshell security... it seems pretty tough when you tap on it, but poke one hole through and you can suck out the whole yolk.&quot;</p></li></ul></li></ul></li><li><p><a href="http://www.cs.cmu.edu/~aldrich/papers/effects-icfem2018.pdf">Capabilities: Effects for Free</a> shows nicely how capabilities can also be combined with a type system to prove constraints on what a particular subset of code can do.</p></li><li><p>What we haven't talked about as much yet is all the cool things that ocaps <em>enable</em>. A great paper on this is <a href="http://erights.org/elib/capability/ode/index.html">Capability-based Financial Instruments</a> (aka &quot;Ode to the Granovetter Diagram&quot;, or &quot;The Ode&quot;), which shows how, using the <a href="http://erights.org/index.html">E distributed programming language</a>, distributed financial tooling can be built out of a shockingly small amount of code. (All of this stuff written about a decade before blockchains hit the mainstream!)</p></li><li><p>You might need to know a bit more E syntax to read The Ode; Marc Stiegler's <a href="http://www.skyhunter.com/marcs/ewalnut.html">E in a Walnut</a> is an <em>incredible</em> resource, and has many insights of its own... but it's a bit more coconut-sized than walnut-sized, in my view.</p></li><li><p>An enormous amount of interesting information and papers about object capability security on the <a href="http://wiki.erights.org">E Wiki</a>'s <a href="http://wiki.erights.org/wiki/Documentation">Documentation page</a> page (<a href="https://web.archive.org/web/20200918043946/http://wiki.erights.org/wiki/Documentation">snapshot</a>). Honestly you could just spend a few months reading all that.</p></li><li><p>In particular, if you're mathematically minded and say &quot;yeah but I want the proofs, gimme the proofs; I mean like real math'y proofs!&quot; there's a whole subsection on <a href="http://wiki.erights.org/wiki/Documentation#Formal_Methods">Formal Methods</a> (<a href="https://web.archive.org/web/20200918043946/http://wiki.erights.org/wiki/Documentation#Formal_Methods">snapshot</a>)</p></li><li><p>But maybe you're worrying, is it possible to build secure UIs on top of this? <a href="https://www.hpl.hp.com/techreports/2009/HPL-2009-53.html">Not One Click for Security</a> does a lovely job showing how ocap principles can actually result in a <em>more intuitive</em> flow if done correctly... one smooth enough that users might wonder, &quot;where's the security?&quot; Surprise! It was just smoothly baked into the natural flow of the application, which is why you didn't notice it!</p></li><li><p>And if you really want to spend a lot of time getting into the weeds of how to <em>design</em> ocap systems, maybe look at Mark S. Miller's PhD dissertation, <a href="http://www.erights.org/talks/thesis/">Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control</a>. Chris is pretty sure they're the only one with an autographed copy sitting on their desk.</p></li><li><p>Finally, have we mentioned that Chris's work on <a href="https://spritelyproject.org/">Spritely</a> is pretty much entirely based on extending the federated social web based on ocap security principles?</p></li></ul>