The Dilemma

We need some more formal definitions for what we aspire to. I don’t have any.

I think that Morris’s paper made it clear that to unseal a box one had to hold the box and the unsealer. It should require that these two be brought together, named and presented in a single primitive operation to acquire the content of the box. This attack is on an attractive pattern that seemed to provide Morris’ seal function.

Just now (2016 June 19) I see no use of Morris sealers that Stiegler’s pattern does not provide.

I had jumped to the conclusion that synergy had to bottom out at a primitive language function. Keykos provides synergy functions that are about four abstraction layers removed from the closely held domain tool where they all bottom out. Then I thought that Stiegler’s mechanism achieved synergy with only the lexical scope and persistent functions available in many modern GC languages. I am reverting to my earlier opinion. I think that Stiegler’s mechanism still serves many purposes.

The dilemma is whether we should be concerned with such attacks. We need threat models. Imagine a world where unsealers are spread among several mutually suspicious agents. Morris alludes to a signature like function that he refers to as a trademark. If someone sends you a box that can be unsealed by the official unsealer that you know came from the county, you can be assured that the RO box content is an official deed that says Joe owns that property. This gives you the same sort of assurance as a digital signature without all the arithmetic. It is easy to see that unsealers will be broadly available, but perhaps not universally.

It is also easy to imagine that the sealed box moves between protection domains. Neither the box nor the unsealer are closely held. Yet we want to say that one must bring them together to see the content.

In some contexts we seek mutual isolation, such as confinement to achieve practical ends. Sometimes data channels are allowed between protection domains over which only data can flow. One such pattern is metered data flows used to sell measured access to data. The attack above seems viable in this scenario. Even without the data channel you can imagine ‘mob justice’ where there is a rumor that some particular sealed box contains evidence of malfeasance and that some moderately widespread unsealer can unseal it. Some might hope that these two camps are disjoint.

It is as if one could not filter ports to carry only data. Data and boxes must both be allowed if data are allowed.


Just now I think that the attack on Stiegler’s mechanism fails when the conspirators can communicate only thru RW access to plain shared storage. I say “plain” because fancy storage can be created in Keykos access to which causes code defined by the creator to be executed. I do not know what to make of these distinctions.