[cap-talk] "ACLs don't" paper rejected from Oakland 09

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Tue Feb 3 07:18:03 CST 2009 

Toby Murray wrote:
> On Mon, 2009-02-02 at 17:10 +0000, David-Sarah Hopwood wrote:
>> Toby Murray wrote:
>>> All equivalence claims between caps and ACLs are about expressible
>>> static configurations of permissions. In this case, they *are*
>>> equivalent -- both can express the same static configurations of
>>> permissions.
>> This is false, because in the capability case, the access matrix is
>> not an abstraction of all relevant protection state. In a capability
>> system, it matters (to the results of access decisions, and therefore
>> to the ability to resist classes of attack) which capabilities are stored
>> in which variables. This information is not present in the access matrix.
> 
> Who says a cap system has variables in which caps can be stored? (In
> this case it  wouldn't be an object-cap system but that wouldn't stop it
> from being a cap system.)

In any capability system, capabilities can be independently designated,
regardless of whether the system is type-partitioned or whether it is
an object-capability system.

Suppose that a subject S holds two capabilities to object O, one with
{read} rights and another with {read, write} rights. Then the access
matrix entry for (S, O) will contain at least {read, write}, but whether
any particular request is for write access, depends on which capability
S designates.

The general point I'm trying to make isn't restricted to systems in which
there are multiple rights. Even if there is only an 'invoke' right, the
mapping from designators (variable names, C-list indices, capability
hardware registers, sparse or cryptographic capability representations,
etc.) to capabilities must be considered as part of the protection state.
That is because when a subject sends a message containing capabilities,
it does that by specifying designators for those capabilities. It does
not do so by naming each object to be acted on, and then having the
system pick a capability for that object if the subject holds one.
If it did that, then it would be vulnerable to confused deputy attacks.
But whether each subject holds *any* capability to each object (with
given rights), is all the information that the access matrix contains.

-- 
David-Sarah Hopwood ⚥

More information about the cap-talk mailing list