feasibility of principal-based access control

shapj@us.ibm.com shapj@us.ibm.com
Tue, 6 Jul 1999 08:52:10 -0400 

The answer is: you cannot, with or without confinement.  First, just to get the
terms straight, I assume that what you meant was:

>Without confinement,
>how is the statement that "A wrote **X**" supposed to be recorded in the
>case of colluding A and B?

That is, "A" and "B" are principals, and "X" is an object.  Assume, for the sake
of discussion, that you could hand to A a unique capability stamped "a" (i.e.
stamped with something recognizable as a principal id).  You can now design your
system in one of two ways:

1. Anyone can use a capability, regardless of stamp.
2. To use a capability, it must have your stamp. Let us assume for a moment that
we can successfully stamp processes with user identities.  I'm not sure we can,
but let's take it as a working assumption to see if stamping the capabilities
will help.

Since "A" can always construct a proxy object for X, and hand B a capability to
the proxy object, the second case is in practice no different from the first.
[This is the fundamental argument *against* a "do not copy" bit in the
capability representation.]

Therein lies the rub.  You can record anything you want in the audit trail, but
given a record in the audit trail of the form "A wrote X", you don't really know
that it is true.  The best you can know is that "X was written using a
capability stamped 'a'".  What this tells you is that either:

1. A built a proxy for B
2. A gave the capability to B (intentionally)
3. A was tricked or enticed or otherwise *mistakenly* gave the capability to B.
4. A was tricked or enticed or otherwised induced to *use* the capability on
behalf of B.
5. A really used the capability on their own behalf.

So basically, there is no way to know what the administrator would like to know.


Confinement doesn't really help.  Confinement allows one user's agent (i.e. some
program that is a client of the confinement box) to control where the
information within the confinement box goes, but it does not prevent *that user*
from disclosing things or inserting into the confinement box capabilities by
which the confinement box can disclose things directly; the confinement contract
is an *initial* contract; it's continuance depends on the actions of the client.


Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595



Dave Long <dl@silcom.com> on 07/06/99 02:10:16 AM

To:   Jonathan S Shapiro/Watson/IBM@IBMUS
cc:
Subject:  Re: feasibility of principal-based access control






I'm not sure I understand your question.

In a system with confinement, I can see how one could capture an
audit trail of all communication between domains, and postprocess
the audit to determine if policies were met.  Without confinement,
how is the statement that "A wrote B" supposed to be recorded in the
case of colluding A and B?

-Dave