[cap-talk] Paradigm Regained: Abstraction Mechanisms for Access Control

Mark S. Miller cap-talk@mail.eros-os.org
Fri, 22 Aug 2003 21:51:19 -0700

At http://srl.cs.jhu.edu/pubs/SRL2003-03.pdf you will find the paper Shap 
and I just submitted for my invited talk at 
Asian'03 http://www.cse.psu.edu/asian03/ . We expect to hear back from 
referees on Sep 7, so we have one more round of revision to go before camera 
ready. Discussion would be most enjoyable and quite valuable. Thanks.

I'm cross-posting this message to cap-talk, e-lang, squeak-e, mozart-oz, and 
web-calculus, but let's discuss non-platform specific issues on cap-talk. 
(Please don't reply-all.)

Paradigm Regained: Abstraction Mechanisms for Access Control

Mark S. Miller, Jonathan S. Shapiro


Access control systems must be evaluated in part on how well they support 
the Principle of Least Authority (POLA), i.e., how well they enable the 
distribution of appropriate access rights needed for cooperation, while 
simultaneously limiting the inappropriate proliferation of access rights 
which would create vulnerabilities. POLA may be practiced by arrangement of 
permissions and by abstraction of access. To date, access control systems 
have been evaluated only by their effectiveness at POLA-by-arrangement. 

Working in the original capability model proposed by Dennis and van Horn, we 
show how actual systems have used abstraction to enforce revocation, 
confinement, and the *-properties--policies whose enforcement has been 
"proven" impossible by arrangement-only analysis. To account for these 
abilities, analysis must also examine the behavior of security-enforcing 
programs (which are usually simple) to see how they limit the authority of 
arbitrarily complex untrusted programs. The original capability model, 
analyzed in these terms, is shown to be stronger than is commonly supposed. 

Text by me above is hereby placed in the public domain