[cap-talk] Comprehensive Security Policies on Capability Systems
Toby Murray
toby.murray at comlab.ox.ac.uk
Tue Jan 16 03:19:23 CST 2007
On Mon, 2007-01-15 at 12:03 -0500, Jonathan S. Shapiro wrote:
> On Mon, 2007-01-15 at 12:23 +0100, Neal H. Walfield wrote:
> > What I'm looking for then are not descriptions of the fundamental
> > patterns, e.g., care takers and seals, but how to use capabilities and
> > these patterns to implement a more comprehensive security policy.
> > Could anybody point me to some relevant exposés?
> If anybody has worked out RBAC, I don't know about it, but the basic
> approach would be to start with a KeySafe style reference monitor and a
> bunch of object servers that were in on the joke.
Correct me if I'm wrong, but when I read the following, I had thought it
a pretty good start at a realisation of RBAC.
From:
http://www.eros-os.org/pipermail/cap-talk/2006-December/006458.html
posted by Mark Miller
> When Bob joins the company, a user-agent is created for
> Bob-as-employee. If needed, a separate user-agent is created for Bob.
> (If Bob already has his own computer with his own user-agent, he can
> elect to use that!)
>
> The relevant membrane is between Bob and Bob-as-employee. While Bob is
> with the company, Bob acts as a puppeteer, operating the
> Bob-as-employee puppet through the membrane. When Bob leaves the
> company, Bob looses the ability to operate Bob-as-employee, but
> Bob-as-employee continues to exist. It has lost its puppeteer, and
> therefore some of its anima, but it hasn't lost any of its authority.
> When the company reassigns Bob's duties to someone else, they also
> transfer the puppet strings, so that other person can now operate
> Bob-as-employee. The puppet show must go on, masking the effects of
> puppeteer turnover.
Here "Bob-as-employee" is a role, available to user Bob. Bob may have
other roles he can assume too, in which case he'd have capabilities to
other membranes that represent these roles as well.
One could enhance it by having the membrane for role X disallow any caps
to traverse it that have already passed through the membrane for another
role Y. The idea would be to prevent Bob from using caps obtained in
role X while acting in role Y, although I haven't thought it through
enough to be sure that this would actually implement the prevention.
More information about the cap-talk
mailing list