[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
Mark Miller
erights at gmail.com
Fri May 30 10:11:17 CDT 2008
On Fri, May 30, 2008 at 7:35 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
>> The OCap model is an outgrowth of many years of work, and I think it is
>> safe to say that it is heavily influenced by systems like KeyKOS.
Absolutely!
>> Earlier attempts to capture this model:
>>
>> Shapiro, Weber. "Verifying the EROS Confinement Mechanism",
>> 2000 IEEE Symposium on Security and Privacy, 2000
>>
>> Lawrence Snyder. "On the Synthesis and Analysis of Protection
>> Systems", 6th ACM Symposium on Operating Systems Principles, 1977
>>
>> Each of these differs in some particulars from the OCap model as it
>> stands today. The OCap model is a refinement of the earlier work, with
>> some significant new ideas.
Certainly. The OCap model owes a tremendous debt to these earlier works.
> The OCap model differs significantly from the earlier work cited in that
> it is an informal model.
Toby, I agree with everything you're saying, but I'd also like to call
attention to the issue that I consider the most important innovation
in the OCap model: The ability to explain the authority limiting
behavior of subjects that are themselves operating within limited
authority. All earlier models, including those Shap cites above, force
the modeler to choose, for each component of the system, whether it is
a) modeled as part of the platform -- in which case its authority
limiting behavior can be relied on, but its own authority is
unlimited, or
b) modeled as a subject operating within the rules created by the
platform, in which case its own authority can be limited, but it is
presumed hostile.
The authority limiting behavior of #b cannot be modeled in these
systems, and so these models cannot account for security arrangement
in which one relies on their behavior -- except by promoting these
subjects into category #a.
By forcing the modeler to chose between #a and #b, these models
effectively hid the possibility (and the practice) of unprivileged
access control abstractions.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list