[cap-talk] Paradigm Regained: Abstraction Mechanisms for Access Control
Mark S. Miller
Fri, 22 Aug 2003 21:51:19 -0700
At http://srl.cs.jhu.edu/pubs/SRL2003-03.pdf you will find the paper Shap
and I just submitted for my invited talk at
Asian'03 http://www.cse.psu.edu/asian03/ . We expect to hear back from
referees on Sep 7, so we have one more round of revision to go before camera
ready. Discussion would be most enjoyable and quite valuable. Thanks.
I'm cross-posting this message to cap-talk, e-lang, squeak-e, mozart-oz, and
web-calculus, but let's discuss non-platform specific issues on cap-talk.
(Please don't reply-all.)
Paradigm Regained: Abstraction Mechanisms for Access Control
Mark S. Miller, Jonathan S. Shapiro
Access control systems must be evaluated in part on how well they support
the Principle of Least Authority (POLA), i.e., how well they enable the
distribution of appropriate access rights needed for cooperation, while
simultaneously limiting the inappropriate proliferation of access rights
which would create vulnerabilities. POLA may be practiced by arrangement of
permissions and by abstraction of access. To date, access control systems
have been evaluated only by their effectiveness at POLA-by-arrangement.
Working in the original capability model proposed by Dennis and van Horn, we
show how actual systems have used abstraction to enforce revocation,
confinement, and the *-properties--policies whose enforcement has been
"proven" impossible by arrangement-only analysis. To account for these
abilities, analysis must also examine the behavior of security-enforcing
programs (which are usually simple) to see how they limit the authority of
arbitrarily complex untrusted programs. The original capability model,
analyzed in these terms, is shown to be stronger than is commonly supposed.
Text by me above is hereby placed in the public domain