[cap-talk] an access control matrix model of capabilities

Zooko cap-talk@mail.eros-os.org
Wed, 02 Apr 2003 12:26:47 -0500 

(I, Zooko, wrote the lines prepended with "> > ".)

 Ben Laurie wrote:
>
> > In an ACL system, subject X can grant privilege P to subject Y only if X holds 
> > privilege P -- that is, only if X can access the P column of the (original) 
> > Lampson access control matrix.
> 
> Surely this isn't true? In an ACL system I could have a privilege P' 
> which is "can grant privilege P" without having P myself.

I guess there might be an ACL system where having a privilege is not a 
prerequisite for granting it, but this would seem unusual to me.  Is this sort 
of thing common?  (For "unprivileged" users, not for "admins".)

The part of my note that you quoted above is from "The Punchline", and when it 
says "an ACL system", it doesn't specify exactly what sort of ACL system it 
means.

The point of "The Punchline" is the observation that a kind of "basic notion" in 
ACLs is that granting of privileges is constrained by having the privilege -- by 
having rights to the appropriate column, whereas the analogous concept in cap 
systems is that granting of privileges is constrained having access to both the 
privilege -- the column, and the recipient -- the row.

I would like to write this down more formally and compare it against *real* ACL 
systems, but first I will have to read these two references that David Wagner 
sent to me, each of which might be ACL systems with "Higher-Order Least-
Privilege":

Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Anderson, 
Jay Lepreau
The Flask Security Architecture: System Support for Diverse Security Policies
Univ. of Utah Technical Report UUCS-98-014, August, 1998.
http://citeseer.nj.nec.com/spencer98flask.html 

Sotiris Ioannidis, Steven M. Bellovin
Sub-Operating Systems: A New Approach to Application Security
Technical Report MS-CIS-01-06, University of Pennsylvania, February 2000. 
http://citeseer.nj.nec.com/ioannidis00suboperating.html 

Regards,

Zooko

http://zooko.com/
         ^-- under re-construction: some new stuff, some broken links