[cap-talk] Bee Eyes (was: "ACLs don't" paper rejected from Oakland 09)
Karp, Alan H
alan.karp at hp.com
Mon Feb 2 12:39:18 EST 2009
MarkM wrote:
>
> I will take this opportunity to re-raise the topic of so-called "hybrid
> capability systems" (HCS) like Gong's ICAP, Karger's SCAP, most of Kain
> and Landwehr's taxonomy, and the "unauthorized capabilities" of the IBM
> System/38 aka AS/400 aka iSeries. The basic idea of an HCS is that an
> access is allowed iff it is allowed by ACL rules *and* it is allowed by
> cap rules. In an HCS, the principal id of the immediate requestor is
> still presented to the reference monitor, for checking against an ACL
> as an additional requirement beyond the normal ocap rules. In one form
> of HCS, the ACL to be checked is associated with the designated object.
> In another, the ACL may be associated with the capability on which the
> request is made.
>
We have proposed something similar for the Navy to support Risk Adaptive Access Control (RADAC) with ZBAC. The user's identity, or more likely set of attributes, is used to make a context dependent decision on whether or not to honor the capability. For example, the capability will be honored unless we're at war with Canada and the submitter is a Canadian. It's important that the NBAC check be used only to reduced the rights carried in the capability, or you can get a confused deputy.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list