[cap-talk] Newbie questions about security

Jed Donnelley jed at nersc.gov
Mon Jan 14 16:25:25 EST 2008 

On 1/9/2008 5:41 PM, James Morris wrote:
> On Thu, 20 Dec 2007, Jed Donnelley wrote:
> 
>> You might find this recent talk on object capabilities:
>>
>> http://youtube.com/watch?v=EGX2I31OhBE
>>
>> worth listening to.  There are others if you find that
>> one worthwhile.
> 
> Thanks for the high level overview of this area -- very useful!
> 
> One of the questions which came up in the talk was about how you'd extend 
> this model over the network.

Sorry to take so long in getting back to you on this James.

I just thought I'd mention that mechanisms for extending an
object capability model over a network (serializing) have been
known since at least 1975 when I wrote the first version of
this paper:

J. E. Donnelley, A Distributed Capability Computing System,
Proceedings of the Third International Conference on Computer
Communication, August 1976, pp. 432-440:

http://www.webstart.com/jed/papers/DCCS/

Similar mechanisms have been reinvented at least by the
Mach folks in the late 1980s and again by Mark Miller
for his thesis:

http://www.erights.org/talks/thesis/

I believe the basic approach is the same in all cases.
Namely, a service is provided on each local (shared
memory) system that essentially translates a
descriptor based permission into a form that can
be transmitted down a wire (e.g. cryptographic
or address based).  Although written from a
slightly different perspective, I explored
some of the potential ways for protection of
such serialized permissions in this 1981 paper,
Managing Domains in a Network Operating System:

http://www.webstart.com/jed/papers/Managing-Domains/

which is derivative from:

J. E. Donnelley and J. G. Fletcher, Resource Access
Control in a Network Operating System, Proceedings
of the ACM Pacific '80 Conference, San Francisco,
November 1980, pp. 115-125.

Much has changed since that time, but perhaps some
of the concepts are still useful.

> Something perhaps to consider here is how 
> the current Labeled NFS work might be useful.  The project mailing list is 
> at:
> 
> http://linux-nfs.org/pipermail/labeled-nfs/
> 
> The first message has some useful introductory information.

Interesting.  One thing I'll mention in this regard is
that of course the focus of this list is on achieving
Principle Of Least Authority (Privilege if you prefer)
access control and doing so by enabling the communication
of references to just the needed objects between domains
as parameters - much like with Object Oriented programming,
where the combined "object capability" model came from.

> The general idea with Labeled NFS is to convey object and subject security 
> labels over NFS, to facilitate remote security labeling operations and the 
> application of MAC policy to remote objects and subjects.

I assume you are referring to multi-level security labels rather
than any other form of "mandatory" access control?  In that
case (since I just happened to be thinking some about this
subject) I'll mention that you might want to be on the
lookout for the means that will ultimately provide the
one-way communication that is needed to enforce the
* and simple security properties.

> While this is based around requirements for MAC, I suspect this mechanism 
> might also be of use in conveying and controlling authority via references 
> to distributed objects.  e.g. it should allow the idea of "file descriptor 
> as capability" to be applied to remote filesystem objects via NFS.

That would be terrific.  If possible, don't stop with file
system objects.  I believe the same sort of reasoning should
apply to any objects (e.g. directories, processes, printers,
ports, any reference in an OO language, etc., etc.).

Good luck with your work James!

--Jed
http://www.webstart.com/jed/

More information about the cap-talk mailing list