CapDesk Features

CapDesk has the following features, all wrapped in a user-friendly point and click user interface that does not require passwords or irritating security-oriented dialog boxes. For more information about how CapDesk can achieve so much in a fashion that is so transparent to the user, see the Introduction to Capability Security for Users at http://www.skyhunter.com/narratedIntros.html. CapDesk features include:

• Secure point-and-click distributed file management: CapDesk can act as a powerful replacement for FTP servers in security-aware environments.
• Fine-grain grants of authority, enabling implementation of the Principle of Least Authority (POLA) to a degree not generally available in Unix or Windows systems.
• Easy file service configuration: Individual users can straightforwardly configure fine grain grants for one another, not only enabling but encouraging community-wide delegation and conferral of authority in a fashion that maximizes the effectiveness of participants while minimizing the risks of distributed power.
• Ad-hoc virtual private networking: Applications launched in CapDesk transparently work with files regardless of where the files reside. Consequently the resulting network of relationships among people, programs, and data has many of the characteristics of a virtual private network. However, because these relationships are so easily created and revoked, these networks are dynamic to an extent VPN systems cannot achieve. And because the grants are naturally fine-grain, CapDesk-based networking supplies much stronger security guarantees among the participants. CapDesk-based "VPN"s can be extended across multiple organizations that have only limited trust in one another, without fear of compromise.
• A Minimal-Authority application-launching environment: The CapDesk Launcher guarantees that applications receive no more authority than they require to do their jobs. Hence, even if a programming bug in an application might serve as an exploitable hole for a cracker, the attack will get little traction since the application itself has little authority that it can confer. Developers of applications can naturally and painlessly use POLA on each individual library package in the application, so that there is little code in the application itself that has even the limited aurhority of the application as a whole, further thwarting cyberattack.
• Hitherto impossible integration of usability, security, and functionality: CapDesk embodies user friendliness at a level normally though of as unachievable without sacrifice of either functionality or security. CapDesk, and applications launched within CapDesk, require no passwords, no security-oriented dialog boxes, no warnings about the consequences if you run a block of signed code and discover too late that the code is malicious or easily cracked. Users use the same point/click drag/drop operations they already understand, and the security properties are enforced with so little user overhead that it is almost free.
• Invulnerability to over-the-network attack: Because in practice most applications need only a small amount of authority at any one time, and because CapDesk makes it intuitive and natural to grant authority only as needed, CapDesk supplies a computing environment which is effectively invulnerable to traditional cyberattack.

The security claims made here have been reviewed under the auspices of DARPA, for whom Combex contracted with a team including Dr. David Wagner of UC Berkeley to conduct a security review. You can read their review at http://combex.com/papers/darpa-review/index.html.

We have succeeded in marrying security, power, and usability to an extent that would otherwise seem unachievable because CapDesk's underlying paradigm, capability-based security, has been poorly explored and more poorly understood by the computer security community for three decades. To read a draft of a paper by the Combex CTO, which describes and corrects several crucial misunderstandings of capability security, please contact Marc Stiegler.