[cap-talk] Horton vs. ACLs - private namespaces and the Audit Problem

[Mark Miller]

On 10/10/07, Karp, Alan H <alan.karp at hp.com> wrote:
> I presume that access to the file containing the quarterly results is
> controlled by a capability that may have been passed from object to
> object.  The question to be answered is whether any object reachable
> from the capabilities in Alan's powerbox has had the capability to the
> file in question during the time period of interest.


Reachable purely by the bi-directional topology of the reference
graph? This would correspond to Bishop & Snyder's de-facto analysis.
This is a safely conservative answer regarding potential overt
authority. But for most interesting systems, it's too conservative --
the answer will be "Yes, it's reachable." We could also derive from
the logs something like "Did Alan ever have permission to access the
quarterly results?" But this is unsafe -- Alan may have had the
authority but not the permission.

To get a safe but useful answer to whether Alan had potential overt
authority to access the quarterly results, we need to take the
behavior of some objects into account. Different stakeholders will
differ regarding which objects they are willing to rely on to behave
how. What objects would an auditor rely on to do what? How would the
auditor's perspective compare with that of any other stakeholder?

I think these are important and hard questions we have not yet begun
to engage with. No matter what the underlying access control system,
until such questions are answered, auditability is probably no more
than a legal fiction to satisfy regulators' need to believe that they
are doing something useful.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM