[cap-talk] Reducing Ambient user authority in a Type Safe/Memory Safe OS.

[Karp, Alan H]

Ben Kloosterman wrote:
> 
> 1) However I still want to cover upgrading the capability from say
> browse to R/W when a browse capability is received via iPC.

Then you are enabling confused deputy attacks.

> 2) As per my other message how to handle directories trees , rights to
> non capability servers and cases where the user does not have rights.
> Eg a Windows UAC popup could be useful, eg support personnel turns on
> denied rights popups policy, customer starts app , right is denied
> prompts for other user id , support person enters and then transfers
> the Capability to the app permanently or temporarily. I termed this
> escalation also even though it looks like UAC then mechanism is very
> different as it is just used to transfer the Capability.
>
This doesn't sound like a very scalable approach.  Do I have a support person sitting in my cube to enter credentials every time one of my requests is denied?
> 
> Most rights in these organizations will be centrally distributed, how
> is this handled do you pass this into the File Dialog ( eg what files
> it can see)  and Setup installer. Even on my own PC if I let other
> users use it I don’t want them to see all files how do you restrict
> this ? Does capdesk sit on top of User/Group/Everyone rights ?
>
The general idea is that the user has a petname for each capability.  If the user doesn't have a capability, there's no name.  That is what the CapDesk file chooser does while sitting on top of a Linux or Windows file system.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp