[cap-talk] Confused Deputies arising from object capabilities
Jed Donnelley
capability at webstart.com
Mon Feb 4 01:39:09 EST 2008
At 10:29 AM 2/3/2008, Mark Miller wrote:
>On Feb 3, 2008 9:48 AM, Jed Donnelley <capability at webstart.com> wrote:
> > While such policies might be natural for a Horton
> > implementation, to me this is a somewhat surprising
> > and disappointing result.
>
>Hypothesis: The Horton PDP mechanism should be engaged only
>reactively, when we find that our proactive policies were too
>permissive and we want to stem the damage.
My gosh, that would be a very strong restriction. From
my perspective that would rule out most of the valuable
applications that I see for Horton. Mechanisms like
company sensitive information control and defense
MultiLevel Security.
I should say with regard to my "disappointment" above,
that while I'm disappointed, I'm by no means dismayed.
In fact I've never felt such a sense of clarity with
regard to these access control notions and capabilities.
Likely because of all my recent writing and so much
renewed thinking on the topic, but I certainly feel an
itching for working on a design with these topics.
I had a sense that I expect is somewhat like Alan's
expressed belief that by combining designation with
authorization pure object capability systems became
"immune" from problems with confusing deputies. However,
I've also been troubled by many situations that seem
to suggest otherwise, but that I've never run to ground.
I'm glad to have finally cleared up this situation.
At this point I feel I have such a clear view of how
these mechanisms are working, it seems a shame that I
don't have an opportunity to work on architecting a
system with them - e.g. a capability based system
with some identity based controls (e.g. MLS). If
anybody knows of such work or indeed any work in
this area, I expect to be looking for work starting
sometime between April and July - either full time
or part time consulting - after I formally retire
from the University of California. Sorry for the
blatant sell promotion if such a use of the list
is frowned upon.
Regarding:
>In these circumstances,
>blunt instruments are often fine. To use Ping's analogy: While we'd
>normally like to (proactively) build fire resistant machines and
>buildings, we also must anticipate the need to (reactively) fight
>fires. When fighting a fire, we accept the risk that books will also
>get wet -- a firehose is not for delicate surgery. Likewise, if the
>Horton PDP is used only in emergencies, both of the following
>"problems" with Horton should be considered acceptable:
I don't understand why you feel constrained to these two
unfortunate situations:
>* If the Horton PDP shuts off access non-transitively, there may
>remain some confused deputy dangers during this emergency. (The
>firehose doesn't put out every flame immediately.)
>* If the Horton PDP shuts off access transitively, some legitimate
>accesses may be denied. (The firehose ruins some books.)
As I argued recently, I believe that the Horton PDP must control
access "transitively" (if I understand that term to mean that
no delegation should increase access) to avoid potentially
confusing deputies. I don't understand why controlling
access transitively in this way should deny any "legitimate"
access. No such access seems legitimate to me. I would be
interested to hear an example where you consider such increased
access legitimate.
As I noted in a recent message, access may be dynamically
adjusted in effect "behind the scenes" in response to
state changes that are independent of delegations. For
example, somebody leaving or joining the executive board
or somebodies clearance being lowered or raised. As long
as these state changes result in access that is consistent
with prior delegations (easy to do and even relatively easy
to optimize I believe), then there will be no problem with
confused deputies.
At the risk of jumping into a new thread when I believe
I should be focusing now more on the "gathering", it seems
to me that what people refer to as "rights amplification"
poses a risk of producing confused deputies, much in the
way that care must be taken when controlling access with
Horton's behind the scenes state.
>In answer to your previous question, Horton is not a hybrid system.
>Alan's ACL proposal is. However, I am now increasingly confused about
>the difference between the two. If Alan's extra check is used only
>reactively, in emergencies, then everything I say above applies to it
>as well. Perhaps Horton is way to faithfully model, in pure ocap
>terms, the access control properties of hybrid capability systems?
I have been increasingly puzzled by what that term
"hybrid capability system" means. Perhaps somebody can
explain what they mean by that phrase? Are these systems
where there are other means of making requests besides
"invocation"s on capabilities or simply systems where
there is access control state other than just purely
capabilities? I can see how the former might be considered
"hybrid", but not the latter. In fact even what might
be meant by "purely capabilities" is puzzling to me as
I've noted that any sort of state may be being manipulated
behind the scenes in "pure" object capability systems.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list