[cap-talk] Communicating conspirators (Re: Second ABAC Google talk is now up)
Mark S. Miller
markm at cs.jhu.edu
Sun Jul 16 23:38:26 EDT 2006
Kenton Varda wrote:
> The CC problem is: "What if the owners of Carol want to allow Alice to
> access Carol but do not want Alice to be able to delegate that access to
> Bob?" There is no solution to this problem, for a simple reason: If
> Alice *wants* Bob to be able to access Carol, then Alice can always act
> on Bob's behalf to do whatever operations Bob wants done on Carol.
Yes, but only given an additional premise to distinguish this from
Confinement: that Alice and Bob are properly in communication. If they are not
able to communicate, then Alice can still use Carol according to Bob's
interests are she understands them, but this usage may not reflect Bob's
current interests.
> In the ACL model, we can get a false sense of security by setting
> Carol's ACL to permit Alice while denying Bob. This does not actually
> provide any real security since, again, Alice could just act on Bob's
> behalf by running some sort of proxy.
Yes.
> The proper solution to this problem is not to attempt to prohibit
> delegation, but instead monitor how Alice's authority is being used and
> revoke it if Alice does anything you don't like. That is, create a
> wrapper (aka caretaker, membrane, whatever) around Carol which monitors
> the operations being performed and give that to Alice, and revoke it if
> necessary. Inform Alice that there will be consequences if she isn't
> careful about how she delegates. :)
Yes. This makes use of another intermediary, the Logger from Marc Stiegler's
"Picture Book of Secure Cooperation"
<www.skyhunter.com/marcs/SecurityPictureBook.ppt>.
def makeLogger(accessedObject, recipientName, logWriter) {
def logger {
match [verb, args] {
logWriter.println(`Access: $recipientName`)
logWriter.println(`Method: $verb`)
for each in args {
logWriter.println(` with arg: $each`)
}
E.call(accessedObject, verb, args)
}
}
return logger
}
One can easily make a membrane-like version of this, which interposes similar
logging logic on all references passed through the logger.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list