[cap-talk] Communicating conspirators (Re: Second ABAC Google talk is now up)

Kenton Varda temporal at gmail.com
Sun Jul 16 20:07:06 EDT 2006 

IIRC, the talk explained that this problem could be solved using a revocable
"caretaker".  The CC problem was a different problem.

The question asked was:  "What if Alice doesn't want Bob to continue to have
access to Carol after the Foo operation?"  The answer is that Alice can wrap
Carol in a caretaker (or membrane) which can be revoked as soon as Foo
returns.

The CC problem is:  "What if the owners of Carol want to allow Alice to
access Carol but do not want Alice to be able to delegate that access to
Bob?"  There is no solution to this problem, for a simple reason:  If Alice
*wants* Bob to be able to access Carol, then Alice can always act on Bob's
behalf to do whatever operations Bob wants done on Carol.

In the ACL model, we can get a false sense of security by setting Carol's
ACL to permit Alice while denying Bob.  This does not actually provide any
real security since, again, Alice could just act on Bob's behalf by running
some sort of proxy.

The proper solution to this problem is not to attempt to prohibit
delegation, but instead monitor how Alice's authority is being used and
revoke it if Alice does anything you don't like.  That is, create a wrapper
(aka caretaker, membrane, whatever) around Carol which monitors the
operations being performed and give that to Alice, and revoke it if
necessary.  Inform Alice that there will be consequences if she isn't
careful about how she delegates.  :)

On 7/16/06, Eric Jacobs < eric at theeric.com> wrote:
>
>
> This was the only part of the presentation that I felt pretty
> dissatisfied with, and perhaps it has more to do with the treatment of
> the topic in the capability community in general than anything else, but
> I feel the arguments that were given were not convincing and did not
> resolve the question that was originally asked.
>
> The original comment at 29:15 - (something like this, the audio is
> fuzzy)
>
> "So, I just want to say here as well: I don't want Bob to have a
> reference to Carol except in the scope of the Foo operation. I
> don't want Bob to be able to save that (access?)..."
>
> We are told that this is an example of Communicating Conspirators
> and that will be addressed later in the presentation. This main
> points made are:
>
>    - that CC cannot be solved with permissions;
>    - that CC cannot be solved with capabilities;
>    - that the capability security model cannot solve CC because
>      in its formal system, CC is not distinguishable from other
>      situations that are not security problems
>    - and therefore, CC is an impossible problem to solve (!)
>
> I am not fond of the idea that because (1) we do not know how to
> abstract something, or (2) we do not currently have the technology to
> implement those abstractions, that it is not possible that someone
> really wants it. In this case I believe both of those conditions are
> true.
>
> In fact, I regard the original question as a very legitimate request,
> and something that is going to become more important as our computing
> systems become more interconnected and the simple answer of "cutting
> Mallet's line" becomes less of an option. Disconnnecting a process
> from the internet will soon become a sacrifice of usability for
> security, if it is not already.
>
> Overall though -- I have really enjoyed the presentations so far.
> Thanks!
>
> -Eric
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20060716/97cdcd61/attachment.html

More information about the cap-talk mailing list