[cap-talk] Confused deputies in hybrid systems (was: Loss of control)
Jonathan S. Shapiro
shap at eros-os.com
Tue Feb 5 10:20:33 EST 2008
On Mon, 2008-02-04 at 16:51 -0800, Bill Frantz wrote:
> However, if an outsider could
> access a internal program which held the YURL, or pass the YURL to
> an internal program, the program could in turn access the web page,
> and circumvent the policy. Access to a program which held the YURL
> would need to be blocked by the firewall. Programs which accepted
> the YURL from the user would either need to be blocked from
> receiving the YURL, or from using it for an outside user.
>
> If we wanted to enforce this policy without using anything like the
> firewall, just using capabilities, what would we do? We need to
> construct some structure of capabilities to define what is outside
> and what is inside.
I think this goes beyond capability structures. What you are really
appear to be saying here is that:
1. Some form of hybrid access control is required that considers
multiple factors.
2. At least one of the factors is orthogonal to the authorities
that are part of the user's session context.
3. Because of the concern about man-in-the-middle applications,
this example may require use of some form of ambient attribute
that is used by the access control system.
That is: in this case, the program in the middle is (arguably) becoming
confused precisely because there ISN'T an ambient authority.
Note further that we must consider the possibility of outsider hostility
in this scenario. In consequence, we would like a solution that does not
rely on the participating application programs to propagate the
additional factors determining access control. On the contrary, we
should probably assume that all of this must work when that program in
the middle has been compromised.
shap
More information about the cap-talk
mailing list