[cap-talk] "ACLs don't" paper rejected from Oakland 09

[Toby Murray]

On Mon, 2009-02-02 at 10:51 +0100, Matej Kosik wrote:
> let us examine far
> more important goal: how to follow principle of the least privilege? Is
> this possible in ACL scheme? Can you provide some examples? Is there
> anyone that claims it can be done? Can we see examples? Tanenbaum
> himself and many people on this list can show that this is quite
> straightforward if we use capabilities. Does anyone disagree with this
> claim? Can we provide the supporting evidence?

Something that just crystalised for me was the following. Capabilities
store permissions with the subject that uses them. ACLs store permission
with the subject about whom they pertain. Storing permissions with the
subject that uses them makes it easier to determine, then, whether those
permissions match the function of the subject that is going to use them.
It is easier to determine, then, whether that subject has excess
permissions and, hence, if POLP is being followed.

Storing permissions with the subject about whom they pertain makes it
easier to determine who has permission to access this subject in what
way. Historically (and even presently) many see value in this from an
audit perspective -- it's 'easy' to find out if someone can access this
resource that shouldn't by examining its ACL. The prevalence of confused
deputies in ACL systems undermines this audit argument, however. It is
also clear that auditing POLA here is much more difficult. We can
determine whether a particular subject has POLA enforced only by
examining *every* ACL in the system. On the Internet, this is clearly
impossible. Therefore, in general, POLA cannot be achieved in an ACL
system (simply because doing the auditing is impractical if not
impossible for real-world, large-scale systems). 

Is that fair? Has that been said before?

Cheers

Toby