[cap-talk] Capabilities - the rub, an account

Thu Nov 16 12:53:25 CST 2006

> We talk a good line about revocable capabilities, membranes and
> such.  We all know how such mechanisms can work in capability
> systems.  However, consider capabilities in the light of what I hear
> are the absolute minimum access control/audibility requirements
> that many (most?) people dealing with computer security demand,
> including:
> 
> 1.  It's possible to look at the access control data on the system
> and determine who has access to what (both starting from who
> and finding what or starting from what and finding who),
> 
> 2.  It must be possible to audit the system - find out who gave
> what to who.  I'm not sure today's market leading systems
> (e.g. Unix, Windows) actually succeed in this area, but it's
> one that certainly gets a lot of lip service).

This topic does seem to keep recurring here. Points:

1. It makes no difference whether you are using caps or acls, you cannot 
tell who has access, you can only tell who was given a direct enough 
access such that you can hold them accountable. Those who have direct 
access can proxy, thereby spreading access beyond your control but not 
spreading accountability beyond your control. The beginning of sanity is 
for everyone, both people on this list and computer security pros in 
general, to understand this. Accountability is what you really wanted 
anyway. So the 2 requirements deserve to be rewritten to reflect what 
people actually want and actually can get (which happen to be the same) 
rather than what they think they have and think they can get (which are 
similar though different). A first necessary step toward security is 
discarding one's illusions, for the attackers will discard your 
illusions whether you do or not.

2. Windows sucks at telling you what you have authority to access. One 
day at HP I accidentally discovered that I had been given a massive 
authority to edit the entire application server for HP Labs. I had had 
this authority for a considerable time before learning I had it. I was a 
weapon of mass destruction and did not know it. I have seen nothing 
about Linux, or any other popular system, that does any better.

3. It is easy with acls to ask a resource for a list of who to hold 
accountable/who has direct access. It is easy with caps to ask an object 
what authorities it holds. Going the other/unnatural way is hard with 
either system. But it is not impossible with either system, even though 
no acl system seems in my experience to be bidirectionally informative. 
For the CapWiki, part of the design is, every time a user creates a cap 
for delegation, we put an entry for the revoker and audit trail on that 
user's home page, and include as much info as we can extract from the 
context and the user's explicit entries about who/why/how long this cap 
is for. This will give the user as much (well, actually, more) 
understanding of what authorities he has passed out, and who he passed 
them to, and what those people he gave the authority to should be held 
accountable for, than he gets with any traditional popular acl system.

--marcs