[cap-talk] Horton vs. ACLs
David Chizmadia (JHU)
chiz at cs.jhu.edu
Mon Oct 8 14:55:42 EDT 2007
Karp, Alan H wrote:
> Shap wrote:
>> The audit problem is to provide a mechanism by which an external
>> security auditor (a human using tools) can determine which
>> programs have
>> access to which authorities.
>
> Horton doesn't have anything to say about this problem. If you meant
> "people" where you said "programs", then the answer is straightforward.
> Some of the identity objects in Horton come from the same administrative
> domain as the auditor, so the auditor can assign meaningful identities
> to them. Others may not, in which case the auditor can do no better
> than to use path based names, e.g., HP employee Alan's MarkM's Shap.
When I look at the audit problem (as described by shap), I've
always felt that the major "social" problem with capabilities is
that they force the human auditors to confront the ulgy limitations
of *any* audit subsystem. namely, that the *most* that the logging
facility of any software (OS or program) can say is that a
particular request came from an entity that is associated with some
(essentially) meaningless number, structure, or string.
In the case of straight capabilities, this would usually be
expressed as something along the lines of: "this (specified) request
originated from an entity holding a capability given to the entity
that claimed to be ...". In the presence of Horton, it would be
possible to trace the chain of introductions (i.e., the path-based
names described above) that led to the issuance of the capability
used for the invocation. This could be useful in some forensic
investigations.
-DMC
More information about the cap-talk
mailing list