CapDesk has the following features, all wrapped in a user-friendly point
and click user interface that does not require passwords or irritating
security-oriented dialog boxes. For more information about how CapDesk can
achieve so much in a fashion that is so transparent to the user, see the
Introduction to Capability Security for Users at http://www.skyhunter.com/narratedIntros.html.
CapDesk features include:
- Secure point-and-click distributed file management:
CapDesk can act as a powerful replacement for FTP servers in
- Fine-grain grants of authority, enabling
implementation of the Principle of Least Authority (POLA) to a degree not
generally available in Unix or Windows systems.
- Easy file service configuration: Individual users can
straightforwardly configure fine grain grants for one another, not only
enabling but encouraging community-wide delegation and conferral of
authority in a fashion that maximizes the effectiveness of participants
while minimizing the risks of distributed power.
- Ad-hoc virtual private networking: Applications
launched in CapDesk transparently work with files regardless of where the
files reside. Consequently the resulting network of relationships among
people, programs, and data has many of the characteristics of a virtual
private network. However, because these relationships are so easily
created and revoked, these networks are dynamic to an extent VPN systems
cannot achieve. And because the grants are naturally fine-grain,
CapDesk-based networking supplies much stronger security guarantees among
the participants. CapDesk-based "VPN"s can be extended across multiple
organizations that have only limited trust in one another, without fear
- A Minimal-Authority application-launching environment:
The CapDesk Launcher guarantees that applications receive no
more authority than they require to do their jobs. Hence, even if a
programming bug in an application might serve as an exploitable hole for
a cracker, the attack will get little traction since the application
itself has little authority that it can confer. Developers of
applications can naturally and painlessly use POLA on each individual
library package in the application, so that there is little code in the
application itself that has even the limited aurhority of the application
as a whole, further thwarting cyberattack.
- Hitherto impossible integration of usability, security, and
functionality: CapDesk embodies user friendliness at a level
normally though of as unachievable without sacrifice of either
functionality or security. CapDesk, and applications launched within
CapDesk, require no passwords, no security-oriented dialog boxes, no
warnings about the consequences if you run a block of signed code and
discover too late that the code is malicious or easily cracked. Users use
the same point/click drag/drop operations they already understand, and
the security properties are enforced with so little user overhead that it
is almost free.
- Invulnerability to over-the-network attack: Because in
practice most applications need only a small amount of authority at any
one time, and because CapDesk makes it intuitive and natural to grant
authority only as needed, CapDesk supplies a computing environment which
is effectively invulnerable to traditional cyberattack.
The security claims made here have been reviewed under the auspices of
DARPA, for whom Combex contracted with a team including Dr. David Wagner of
UC Berkeley to conduct a security review. You can read their review at http://combex.com/papers/darpa-review/index.html.
We have succeeded in marrying security, power, and usability to an extent
that would otherwise seem unachievable because CapDesk's underlying paradigm,
capability-based security, has been poorly explored and more poorly
understood by the computer security community for three decades. To read a
draft of a paper by the Combex CTO, which describes and corrects several
crucial misunderstandings of capability security, please contact Marc Stiegler.