Re: Design principles and ethics (was Re: Execute without read (was [...]))

[Jonathan S. Shapiro]

On Sun, 2006-04-30 at 12:17 +0200, Bas Wijnen wrote:
> On Sat, Apr 29, 2006 at 10:23:16PM -0400, Jonathan S. Shapiro wrote:
> >   Does the mere fact that the child was instantiated by the parent
> >   imply that the child consents to disclose state to the parent?
> 
> And the answer is: We assume that it does.  Is there anything that breaks if
> we assume this?  Yes, there is.  But so far, for all the things in that
> category one of these is true:
> - It can be implemented through some other mechanism
> - We do not want to support this case, because we find it morally
>   objectionable.
> 
> If you have a use case where both these are not true, please share it with us.

Three:

  1. The ability for an administrator to back up my content without
     being able to examine it.

  2. The ability to safely store cryptographic keys on a machine having
     more than one user.

  3. The ability to securely manipulate a password database.


> Marcus posed a theorem, namely that there exist no use cases of the child
> hiding data from the parent that we want to support.  If you have an abstract
> way of proving or disproving that, please go ahead.  As far as I can see, the
> way to go is to come up with use cases and see if they work.  If not, it
> disproves the theorem.

Well, I have offered the first two examples above several times.

> Please name a use case where the party which worries about the
> confinement (that is, the one that doesn't want capabilities getting out)
> cannot be the parent.

This is not the definition of confinement. Confinement is not a question
of capabilities escaping. It is a question of *data* escaping.

> > It is also not confinement if the parent can read the child without the
> > consent of the child. Therefore it is not confinement at all.
> 
> If the child doesn't trust the parent, then you have chosen the wrong parent
> for your child.

Your user shell is the parent of /sbin/passwd when you
execute /sbin/passwd. It is entirely proper that /sbin/passwd should not
trust its parent.

> > > > Marcus proposes that any "parent" should have intrinsic access to the
> > > > state of its "children". This property is necessarily recursive. It
> > > > follows that the system administrator has universal access to all user
> > > > state, and that "safe" backups are impossible.
> > > 
> > > Nonsense.  As you said yourself a few months ago, the administrator might
> > > not have the right to touch everything.
> > 
> > In the purely hierarchical model that Marcus proposes, this property is
> > not achieved. That is the problem that I am objecting to.
> 
> Of course it is.  You nicely cut out my comment that the kernel also has
> access to all memory, so I'll say it again. ;-)  In your model, the kernel has
> access to all morory in the system.  The administrator doesn't have the right
> to change the kernel, so he cannot abuse this fact to get access.  There is no
> reason that this can't be true for other parts of the system as well.

I am not sure that the system administrator does not have the right to
change the kernel. I think that they should not, but some of the strong
opinions on this subject have said "the owner of the machine must have
unconditional control."

> The administrator needs to create user sessions.  Fine.  But this can be done
> by making a call to the system, so he doesn't himself become the parent of
> them.

What is this "the system" that you are discussing? In a system without
confinement, the administrator *controls* that!

In order to have this conversation usefully, you need to draw a system
block diagram showing the processes and their relationships (the rights
that they hold) and demonstrate that there are no leaks. You must then
explain how this system state is bootstrapped.

> > > > If I have a right to choice, it is a right to *stupid* choice.
> > > 
> > > Choice is not a right in all situations.
> > 
> > I agree. However, choice is a right in all situations where no
> > *overwhelming* third party harm can be shown to the satisfaction of the
> > consensus of the society.
> 
> No, it isn't.  Choice is wrong in situations where the people who choose are
> not knowledgeble enough to understand what they're doing, or they can't
> actually use it for something good.

Then you should certainly stop making choices about confinement. :-) :-)

> > > I do.  Evil is when a person acts in a way that is against his or her own
> > > moral values.
> > 
> > No. This is the second type of evil. The first type is when a person
> > acts in a way that imposes their values on others without sufficient
> > evidence of universal merit.
> 
> That doesn't fit with my meaning of evil, and depending on the details, it may
> not even be a bad thing at all.
> 
> If someone believes that what he does is good, then that is _by (my)
> definition_ not evil.  Evil is intenionally doing morally objectionable
> things.

Ah. So if I cut you into small pieces and hang you from trees, it is not
evil so long as I believe that doing this is good. Indeed, I might
imagine that allowing your definition of evil to propagate is bad, and
justify myself by imagining that I am pruning the moral garden (lovely
image, but even *I* don't know what it means).

The fact that this statement is consistent with your definition of evil
suggests that the definition needs re-examination.


shap