[cap-talk] The Cascade Problem viewed as a Permission vs. Authority Distinction

Wed May 24 03:28:49 EDT 2006

John Carlson wrote:

>I think some ideas that have floated around here are that the right  
>to communicate a capability
>is basically given when you give someone a capability.  Don't share  
>capabilities unless you
>want them communicated.   Proxying will happen whether you want it to  
>or not.  
>
Definitely.

I should have been more clear. I was trying to point out some parallels 
with some other work that looks fairly unrelated to what is normally 
discussed on this list. The issue you describe above is fairly well 
understood on this list, I think. To me, it was interesting to see what 
I thought was basically the same issue being looked at elsewhere by 
other people in a completely different way to how it's seen here. I 
naturally characterised the problem in their paper as the sort of 
failure that can arise when one conducts a permission-only analysis. Of 
course, that's not how its presented in the paper and I found that 
interesting. Other people are aware of the same sorts of problems that 
the work by e.g. Fred Spiessens and Yves Jaradin et. al.  might help to 
solve, and they are looking at them from different angles.

>For Access Control
>systems, this means you get a sys admin to type in some things they  
>don't have a clue what
>it does.
>
Are you referring to a sysadmin invoking a password capability here?

>  If I give you a portion of a capability to do your job,  
>then that is the correct thing to do.
>( say a write capability w/o read capability).
>  
>
It's correct from your perspective. That's (one of many) the beauty of 
the object-capability model. One can model a system from a number of 
perspectives, taking into account the behaviour of the objects that are 
trusted from the perspective being modelled and then reasoning about 
whether the desired policy is enforced. For example, the policy the 
sysadmin wants enforced is different to the policy you want enforced. We 
can analyse a system from both perspectives. When we analyse from the 
sysadmin's perspective,we take into account the behaviour of objects 
that he trusts -- everything else we presume is as dangerous as it 
possibly can be. If we can prove that his policy is still enforced then 
good. We can do the same from your perspective (as a user) too and both 
of you can have your policies provable enforced (we hope).

I don't know of any other access control systems that allow this sort of 
modelling from multiple perspectives. Again, I would love to hear from 
anyone that does.

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.