[cap-talk] "ACLs don't" paper rejected from Oakland 09

Mon Feb 2 07:30:38 CST 2009

Toby Murray wrote:
> On Mon, 2009-02-02 at 10:51 +0100, Matej Kosik wrote:
>> let us examine far
>> more important goal: how to follow principle of the least privilege? Is
>> this possible in ACL scheme? Can you provide some examples? Is there
>> anyone that claims it can be done? Can we see examples? Tanenbaum
>> himself and many people on this list can show that this is quite
>> straightforward if we use capabilities. Does anyone disagree with this
>> claim? Can we provide the supporting evidence?
> 
> Something that just crystalised for me was the following. Capabilities
> store permissions with the subject that uses them. ACLs store permission
> with the subject about whom they pertain. Storing permissions with the
> subject that uses them makes it easier to determine, then, whether those
> permissions match the function of the subject that is going to use them.
> It is easier to determine, then, whether that subject has excess
> permissions and, hence, if POLP is being followed.
> 
> Storing permissions with the subject about whom they pertain makes it
> easier to determine who has permission to access this subject in what
> way. Historically (and even presently) many see value in this from an
> audit perspective -- it's 'easy' to find out if someone can access this
> resource that shouldn't by examining its ACL. The prevalence of confused
> deputies in ACL systems undermines this audit argument, however. It is
> also clear that auditing POLA here is much more difficult. We can
> determine whether a particular subject has POLA enforced only by
> examining *every* ACL in the system. On the Internet, this is clearly
> impossible. Therefore, in general, POLA cannot be achieved in an ACL
> system (simply because doing the auditing is impractical if not
> impossible for real-world, large-scale systems). 
> 
> Is that fair? Has that been said before?

The claim cannot be proved in general but it can be shown in particular
contexts that it is true. One particular case I discussed with Minix
developers but our goals were different. What they claim is that as long
as you do not change the drivers, OS will work. I claim that it is
possible to craft driver that will crash the OS. Which is fine in their
viewpoint. Not fine in from my viewpoint. Today I saw a report of broken
WIFI driver that enabled attacker to exploit your computer (with
specific WIFI chip) remotely---execute arbitrary code in kernelspace.

Similarly, we can claim that it is possible to craft an application that
deletes users directory. From MS viewpoint it is fine because it is
"user's fault" if he ran it. See Rule #1:
http://technet.microsoft.com/en-us/library/cc722487.aspx
They pretend that the problem does not exist simply by declaring that
mobile code does not exist. Problem "solved".