CapTP: Distributed Capability Security

1. CapTP: Distributed Capability Security • Mark Miller, Marc Stiegler • CTO & COO, Combex, Inc. • www.erights.orgwww.combex.com

2. Object Capability Message Vat Process / Machine CapTP: Capability Transport Protocol • Distributed Object-Capability Security • Communicating Event Loops • Asynchronous Pipelined Promises

3. Overview of CapTP • Distributed Capability Security • ------------- as time permits: -------------- • Communicating event loops • Deadlock-free, non-blocking concurrency control • Asynchronous Pipelined Promises • Massive latency compensation • “Whiteboard” animation • Remaining features • Partition & recovery support, Distr equality • Adversarial distr GC, Partially ordered delivery

4. Distributed Capability Overview • What went wrong? • What are object-capabilities? • What aren't they? • Why capabilities? • What's been set right? • Distributed caps, how? • Patterns and examples

5. What Went Wrong? • Walls + holes are no architecture • ACLs can't do POLA • The cashier & the wallet • Layering Failure:

6. What Are Object-Capabilities? • By Introduction • ref to Carol • ref to Bob • decides to share • By Parenthood • By Construction • By Initial Conditions Alice says:bob.foo(carol) • Absolute Encapsulation • Only source of authority

7. What Aren't They? Capabilities as Rows Capabilities as Keys • “Capability Myths Demolished” • Equivalence? Revocability? Confinement? • http://zesty.ca/capmyths/usenix.pdf

8. Capability Myths DemolishedModels mostly missed virtues of actual systems

9. Capabilities == O-O Security • Capability discipline -> good software engineering • Good software engineering -> capability discipline • Modularity -> omit needless dependencies • Required trust is a form of dependency • Information hiding -> “need to know” • POLA -> “need to do” • Security is the extreme of modularity • Security Abstraction Mechanisms • Patterns of Cooperation Without Vulnerability

10. What's Been Set Right? • Designation + Authority is an architecture • Avoids “Confused Deputy” problems • POLA emerges naturally • Acts of designation also convey least authority • Direct Correspondence • Reify customer's “rights” as objects • Business logic built as security abstractions • “Capability-based Financial Instruments” at FC2000

11. Distributed Caps, How? • Solving both impostor problems • Fully decentralized designation and authorization • Mobility: (Fingerprint + hint) as network address

13. Distributed Cap Pattern:The Revocable Facet def makeRevoker(var precious) :any { def r { to pass(verb, args) :any { E.send(precious, verb, args) } to revoke() { precious := null } } def f { match [verb, args] { r.pass(verb, args) } } [f, r] } “E in a Walnut” www.skyhunter.com/marcs/ewalnut.html

14. Distributed Cap Example: Money def makeMint(name) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(integer >= 0)) :any { def decr(amount :(0..balance)) { balance -= amount } def purse { to getBalance() :any { balance } to sprout() :any { mint.makePurse(0) } to getDecr() :any { sealer.seal(decr) } to deposit(amount :int, src) { unsealer.unseal(src.getDecr())(amount) balance += amount } } } } }

15. Status & Experiences • CapTP implemented for Java and E, in progress for Squeak • Switching to WOS serialization standard • Capability-secure distr desktop for DARPA • Decentralized graphical social virtual reality • Extensible massively multiplayer game • Global high-security enterprise infrastructure • Tutorial: 5 page capability-secure chat

16. Overview of CapTP • Distributed Capability Security • ------------- as time permits: -------------- • Communicating event loops • Deadlock-free, non-blocking concurrency control • Asynchronous Pipelined Promises • Massive latency compensation • “Whiteboard” animation • Remaining features • Partition & recovery support, Distr equality • Adversarial distr GC, Partially ordered delivery

17. Why no Threads & Locks?Scylla and Charybdis

18. Communicating Event LoopsDeadlock-free, non-blocking concurrency control Possibly remote reference “Eventual” one-way send: promise := bob <- foo(carol) Event-loop queuing no synchronized blocks Happens later, and in order ... … unless partitioned Known near reference “Immediate” call-return: val := bob.foo(carol) Sequential stacking no synchronized blocks Happens now Partition impossible

19. Distributed Queuing

20. Asynchronous Pipelined PromisesMassive latency compensation t3 := (x <- a()) <- c(y <- b()) Expands to... t1 := x <- a() t2 := y <- b() t3 := t1 <- c(t2) Message always moves towards arrowhead.

31. Remaining CapTP FeaturesStay tuned to www.erights.org for more on these • Partition & recovery support • Live vs. Sturdy references • Adversarial distributed acyclic GC • Distributed equality – tricky to define • The Grant Matcher Puzzle • Partially ordered message delivery • When can the tortoise pass the hare? • Forks and joins in the message-order graph • Distributed causality-flow debugging in progress

32. Bibliography • Capability Myths Demolishedzesty.ca/capmyths/usenix.pdf • E in a Walnutwww.skyhunter.com/marcs/ewalnut.html • Capability-based Financial Instruments (the “Ode”)www.erights.org/elib/capability/ode/index.html • Intro to Capability-based Securitywww.skyhunter.com/marcs/capabilityIntro/index.html • Statements of Consensuswww.erights.org/elib/capability/consensus-9feb01.html • The CapTP Protocol (including its VatTP substrate)www.erights.org/elib/distrib/vattp/index.htmlwww.erights.org/elib/distrib/captp/index.html • WOMP & WOS www.waterken.com/dev/Web/Message/ • Web sites:www.erights.orgwww.combex.comwww.eros-os.orgwww.cap-lore.com/CapTheorywww.capidl.orgwww.waterken.com