[cap-talk] Non-Delegatable Authorities in Capability Systems
toby.murray at comlab.ox.ac.uk
Thu Dec 6 07:24:06 EST 2007
Hi all on cap-talk and e-lang,
(apologies for those who subscribe to both lists)
We've just had accepted that may be of interest to many on these lists.
"Non-Delegatable Authorities in Capability Systems"
By Toby Murray and Duncan Grove
(to appear in the Journal of Computer Security)
The paper speaks to the heart of the "delegation" issue that has been
debated many times over the years on these mailing lists. I think it
represents a so-far unexplored part of the debate that I hope will be
reignited at this point. I'll let the abstract do the talking.
We present a novel technique, known as the non-delegatable authority
(NDA), for distributing authority to unconfined subjects in capability
systems that prevents them from sharing the exact same authority that
they have been given with anyone else. This feature is present in common
systems based on access control lists (ACLs) in which one may hand out a
permission without handing out the associated "grant" right, but has
been thought to be impossible to express in capability systems until
now. Consequently, we demonstrate that NDAs may be used to express
ACL-like constructs and their basic pattern is directly applicable for
implementing Multi-Level Security and identity-based access controls in
the object-capability model.
The extra complexity introduced by our NDA implementation can be hidden
behind constructs that allow NDAs to be wielded as if they were ordinary
capabilities to the target resource. These constructs cannot break the
non-delegatability constraint and allow NDAs to be used effectively,
although with less efficiency than delegatable authorities.
While I'm here, I'd like to pass on our thanks to Mark Miller who
graciously vetted the first embryonic implementation of the NDA pattern
in E back in January 2006 and who later provided valuable feedback on
early drafts of the paper around July of that year -- it wouldn't have
been written without his support. I'd also like to pass on our thanks to
the anonymous reviewer (who apparently reads cap-talk!), whose astute
observations earlier this year allowed us to plug some gaping holes and
generally resulted in a much improved paper overall. Whoever you are,
this paper would have been much weaker without you; our thanks indeed.
More information about the cap-talk