[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.

Ben Kloosterman bklooste at gmail.com
Mon Dec 14 22:00:16 PST 2009

For the OS I'm working on I proposed that we can reduce user ambient
authority significantly and I want to double check my suggestions.  Firstly
please note there is no command line/console.

Here is the escalation process and note application settings are per user. 

The emphasis for security is on the application installation process which
is often done by the administrator.  When an application installs it
provides a concise list of access it needs which the user can approve or
deny ;it is recommended that this list be a minimum list though a secure
options could be viable for administrators. Note we still fully support user
based home installs.

When the application does not have the security required it will escalate
via this process

Application ->  User -> Group ->Everyone/Machine

If the capability is found in any of the above (except for Everyone) then
the user will be prompted whether it's ok and whether to always allow this.
If the users always allow this the Capability will be copied to the
Applications keyring capability store  or the user may select temporarily eg
editor access to a system config file. Everyone(Machine) is always approved

Note you can trivially run a lower security system by allowing
App->user->group escalation without prompts which may be ok in many
environments.  Visa versa an admin could also prevent escalation of an
The impact is even if a browser breaks the sand box there is not much they
can do .

"The fact the OS  has no command line removes a large amount of security
issues. We no longer need to convert arbitrary string values into file names
and into capabilities or even have user context for the security.  Here
applications directly pass references (Object capabilities) to each other
whether via a GUI browser or a batch context. For example explorer has a
directory browse capability when a user clicks on a document this file with
browse capability is passed to the wordprocessor when this request fails the
system will start looking for escalatable capabilities of the same Type ( eg
FileCapability) and find the word processors read/write capability which it
will then try ( if this fails it will follow the normal escalating path). 
This means that applications ( with per user settings) rather than the user
becomes the most important security aspect  , eg word has R/W access to all
word documents ( .doc and .docx) in the users document and share directory
but nothing else.  This significantly reduces ambient authority since even
to use of user or user group privilege ( yet alone admin group) will result
in a prompt whether to allow the application access yet for normal execution
there will be no prompts. "

Is the above doable , viable or a good idea ? 

Ben Kloosterman

More information about the cap-talk mailing list