[cap-talk] Confused deputies in hybrid systems (was: Loss of control)

Mon Feb 4 19:51:42 EST 2008

This thread is generating more confusion than light in my mind.  So,
let me go back to a simple example, based in Alan's example of the
HP financials leaking early.

Assume the HP financial data is kept on an internal web server and
accessed through a web interface with a YURL.  (In the real
situation, it was kept in a spread sheet and passed around as an
email attachment.  Thus it easily went outside HP.)  The security
policy says, "No access to this data by non-authorized people or
from outside HP."  The authorized people are given the YURL, and the
firewall keeps people from accessing the server when they are
outside.

With the current HP firewall setup, this step would keep outsiders
from directly accessing the server.  However, if an outsider could
access a internal program which held the YURL, or pass the YURL to
an internal program, the program could in turn access the web page,
and circumvent the policy.  Access to a program which held the YURL
would need to be blocked by the firewall.  Programs which accepted
the YURL from the user would either need to be blocked from
receiving the YURL, or from using it for an outside user.

An authorized user could construct such a program and make it
accessible from outside, but doing so would probably be a firing
offence.  On the other hand, if a user just accessed the YURL from
outside, perhaps from a bookmark on his laptop, the firewall would
block access to the server, enforcing the policy, and reminding the
user about the "no outside use" part of the policy.

If we wanted to enforce this policy without using anything like the
firewall, just using capabilities, what would we do?  We need to
construct some structure of capabilities to define what is outside
and what is inside.  Then we need to have a way to prevent the YURL
from passing at least one of inside to outside or outside to inside.
 As a practical matter, we probably want to implement the outside to
inside ban since the scenario includes the possibility of the YURL
going outside by physical transport of the laptop.

I invite people to come up with policy implementation techniques.

General ground rules:

* We want to be able to support generally used policies, even if
they don't provide complete security.  (Note the "lose your job"
step above.)  We are trying to show that capabilities can support
common policies, and "no access from outside" is a common policy.

* We want to do this in a "data as capabilities" environment. 
(YURLs)

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, CA 95032