[cap-talk] Non-safety vs. permission propagation -- HRU and IBAC ACLs

David Hopwood david.hopwood at industrial-designers.co.uk
Mon Aug 6 15:03:48 EDT 2007 

Jonathan S. Shapiro wrote:
> On Mon, 2007-08-06 at 18:18 +0100, David Hopwood wrote:
>> Jonathan S. Shapiro wrote:
>>> Back up. This is a model in which all processes that are not part of the
>>> TCB are assumed to be perfectly hostile.
>>
>> I disagree. The HRU model does not say anything about which processes
>> outside the TCB are assumed to be hostile. It clearly allows the possibility
>> of processes outside the TCB that are trusted for a particular right (to
>> the extent that it talks about processes at all).
> 
> I have not re-read the paper in some time, but I believe that this is
> incorrect.

>From section 4:

# To avoid a trivial "unsafe" answer because s himself can confer generic
# right r, we should in most circumstances delete s itself from the matrix.

(In fact, this is not reasonable in most circumstances, because most
widely-used systems have subjects/principals that are too coarse-grained.
But we can forgive the authors for not realising just how broken future
systems would be in this respect. In section 3 they say that "In practice,
typical subjects might be processes", which is definitely not typical for
current ACL systems.)

# It might also make sense to delete from the matrix any other "reliable"
# subjects who could grant r, but whom s "trusts" will not do so.

So, reliable subjects are not assumed to be hostile. But reliable subjects
are not necessarily in the system TCB. The set of reliable subjects for
any given right is a function of that right.

(Incidentally, I think the terms "reliable" and "unreliable" are much better
in this context than "trusted", "non-hostile", etc.)

> Specifically, I believe the basic analysis is that any
> process in the subject graph can and will perform any command that it is
> capable of performing, subject only to the permission requirements of
> the commands. In this sense, it is a conservative analysis.
>
> This is precisely why trusted subjects must be removed from the graph in
> order for the analysis to make sense.

Does considering the set of reliable subjects to be a function of the right
(which may be either a generic right or a right to a particular object)
answer this argument? I believe that is the interpretation that the authors
intended.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>

More information about the cap-talk mailing list