[cap-talk] A draft paper: Authority Analysis for Least Privilege Environments

Toby Murray toby.murray at comlab.ox.ac.uk
Wed Mar 7 05:52:18 CST 2007 

G'day all on cap-talk,

I've recently put together a draft paper that details a technique for
analysing authority based on causation. One problem with previous
techniques, such as safety analyses (eg. Take-Grant systems, safety
analyses in SCOLL/KBMs etc.) is that while they can reason about
authority to some degree, they're generally limited to reasoning about
it in terms of acquirable permissions. As we all know from the Confused
Deputy problem, this can grossly underestimate a subject's total
authority.

This paper is a first attempt to try to come up with a framework for
thinking about and capturing authority that goes beyond safety analyses.
The work leverages the CSP process algebra for modelling systems but the
causal analysis applies to simple finite-state automata derived from the
CSP models so it's hopefully applicable to other process
algebras/formalisms as well.

I'm soliciting feedback from this list because much of the underlying
philosophy contained within this paper is directly derived from a lot of
the thinking I've picked up from this list. Also, while this paper
presents the work in the context of an IBAC system, the real aim here is
to be able to model and reason about abstractions/patterns in the
object-cap model, most (all?) of which rely on giving some
object /authority/ without giving them /permission/. Thus, in order to
understand these patterns, we need to be able to reason about authority
beyond acquirable permissions.

I'd very much appreciate any feedback, positive, negative or otherwise
on this paper and the ideas it contains. 

Fred: this work was heavily inspired by your work on SCOLL and authority
flow graphs and makes explicit reference to this work towards the end of
the paper. Please let me know if I've misunderstood or mischaracterised
this work in any way as I would hate to misrepresent the most direct
ancestor of my work.

The current draft can be found here:
http://web.comlab.ox.ac.uk/oucl/work/toby.murray/analysing_authority.pdf

Abstract etc. appears below:



Authority Analysis for Least Privilege Environments

Toby Murray

Abstract:

     The rise of limited-privilege environments has been accompanied
by the emergence of vulnerabilities in which a sub ject is able to ma-
liciously wield their limited privileges to indirectly cause unwanted
effects. We refer to all effects that a sub ject can cause as their au-
thority. These vulnerabilities highlight the need to be able to detect
excess authority once a sub ject’s privileges have been minimised. Un-
fortunately, conventional safety analyses for access control systems are
ill-equipped to deal with this problem because they do not detect the
indirect effects that a sub ject can cause, but merely the permissions a
sub ject can acquire.

     We present a technique that characterises a sub ject’s authority as
all of the effects they can cause to occur. Our technique is based on an
analysis of causation, applied to finite state automata that represent
the possible behaviours of a system. We demonstrate the ability of
our technique to successfully identify excess authority when a 
subject’s permissions have been minimised by examining the “Confused
Deputy” scenario, whose vulnerability goes undetected with conventional
safety analyses.

More information about the cap-talk mailing list