[cap-talk] Non-safety vs. permission propagation -- HRU and IBAC ACLs
Jonathan S. Shapiro
shap at eros-os.com
Mon Aug 6 10:35:49 EDT 2007
On Mon, 2007-08-06 at 14:50 +0100, Toby Murray wrote:
> On Fri, 2007-07-27 at 17:03 +0100, Toby Murray wrote:
> > On Fri, 2007-07-27 at 11:50 -0400, Jonathan S. Shapiro wrote:
> > > On Fri, 2007-07-27 at 11:55 +0100, Toby Murray wrote:
> > > > The question I was
> > > > asking was whether the formal access control model (identity-based ACLs
> > > > with so-called "discretionary" access control and the superuser) can
> > > > enforce the safety property. Of course they can -- that was my point.
> > >
> > > The answer is NO. Go re-read the HRU paper.
> >
> > I will. But I don't remember anything in that paper to support your
> > claim from last time I read it. I'm hoping that if re-reading the paper
> > doesn't convince me you're right, that you could point to the relevant
> > section in which this claim is proved.
>
> I've now re-read that paper.
>
> (see a PDF here
> http://www.cs.unibo.it/~babaoglu/courses/security/resources/documents/harrison-ruzzo-ullman.pdf )
>
> Having done so, I see no evidence to support the claim that the safety
> property cannot be enforced using identity-based ACLs with so-called
> "discretionary" access control (i.e where the "owner" of an object can
> control which subjects have permission to access it).
Very simple: the owner does not control. The programs labeled with the
owner's principal ID control. The model assumes that all programs are
maximally hostile. Therefore, in any system where at least one subject
executing on behalf of the owner exists, the access right leaks in a
single step.
> So say we have a system of 2 subjects, s1 and s1, and one (file) object
> f.
>
> Say that s1 is the owner of f (i.e. "own" is in (s1, f) )
> And we want to determine whether s2 (who is considered untrustworthy)
> can obtain the right to "read" f. s1 is considered trustworthy, so we
> remove it from the configuration, leaving a configuration with 2
> entities (s2 and f) in which no entity has any permission to any other.
This is not an accurate model. The problem with this model is that
subjects in an ACL system do not own objects; principals do. Therefore,
the set of subjects that effectively possess the "own" right is an
equivalence class induced by principal id. Because of this, we cannot
reasonably introduce the assumption that s1 is non-hostile. This is
comparable to saying that every program that a user U might run on the
system is known to be completely safe.
If this assumption were true, computer security would be much less
interesting. :-)
shap
More information about the cap-talk
mailing list