120 likes | 150 Views
Capability Security. Capability Security. Piotr Kaminski July 18, 2003. 30 Minute Roadmap. From traditional methods to capabilities Problems solved by capabilities Some objections addressed. A. File1. resources. B. File2. subjects. C. File3. Rotate Tradition 90 °.
E N D
Capability Security Capability Security Piotr Kaminski July 18, 2003
30 Minute Roadmap • From traditional methods to capabilities • Problems solved by capabilities • Some objections addressed SEng 480a / CSc 586a: Capability Security
A File1 resources B File2 subjects C File3 Rotate Tradition 90° • Firewalls, file permissions, stack introspection, … • open namespace + logic wall = a leaky sieve • difficult to code, performance suffers too • Authorization policies R Access Control Lists Capabilities RW R R W W RW SEng 480a / CSc 586a: Capability Security
Capability Discipline • A capability is • a reference to a resource, • combined with authority to use that resource, • that cannot be forged. • Mechanisms that don’t change: • authentication • information security (encryption) • security testing (?) • Advantages • enable principle of least authority • no designation without authority SEng 480a / CSc 586a: Capability Security
Mmm…Tight Security • A secure system ensures that subjects are only allowed to perform authorized actions on resources Principle Of Least Authority (POLA) Each subject is authorized to perform all and only the actions necessary for its work. SEng 480a / CSc 586a: Capability Security
resources subjects Policy in the Matrix • POLA depends on: • fine resource and subject granularity • dynamic resource and subject creation • fine authority granularity • Not practical with ACLs • subjects per-user or per-role • authorities are often coarse • Trivial with capabilities • subjects per-object or per-process • authorities down to individual method level SEng 480a / CSc 586a: Capability Security
Confused Deputy • Scenario: • Print spooler component is given authority to write to a billing file, “/etc/bill”. • Print spooler accepts a file name from user to save status information. • User asks for status to be saved to “/etc/bill”. • Print spooler overwrites billing information, user gets free printing. • How to prevent this scenariousing traditional methods? SEng 480a / CSc 586a: Capability Security
Rebuttal If two subjects can communicate,even ACLs cannot prevent delegation. Small print: to guarantee the *-property, the system mustpartition capabilities from data. Objection: Delegation Claim Capability systems cannot prevent subjects from giving away their capabilities. SEng 480a / CSc 586a: Capability Security
Objection: Revocation Claim Once granted, a capability cannot be revoked. Rebuttal Revocation is achievablewith a simple design pattern. SEng 480a / CSc 586a: Capability Security
In Favour Principle Of Least Authority upheld Unseparable designation and authority Resilient in the face of lazy programmers Against Whole-system method, hybridization weakens security Requires design changes Doesn’t seem to fit static typing In the Balance SEng 480a / CSc 586a: Capability Security
Practice Makes Perfect • Past: • KeyKOS • Present: • E • EROS • Waterken • Paper: • Capability Myths Demolished Future: Earthweb? SEng 480a / CSc 586a: Capability Security
The End The End Thank You