[cap-talk] "ACLs don't" paper rejected from Oakland 09

Toby Murray toby.murray at comlab.ox.ac.uk
Thu Jan 29 12:30:30 EST 2009 

On Wed, 2009-01-28 at 18:57 -0800, Tyler Close wrote:
> I've put the oakland09 submission, rejection email, and my updated
> version of the paper at:
> 
> http://waterken.sourceforge.net/aclsdont/
> 

Looking at the reviewers' comments:


> Obviously it is commonly agreed that "the view presented in the
> Protection paper that ACLs and capabilities are merely different
> implementation choices for a single access model embodied by the
> access matrix is incorrect."

... 

> I would assume that any serious system security course would touch on
> most of them in its AC section. 

I took the Oxford course on Computer Security in my first year here as a
grad student. I distinctly remember the lecture on access control in
which the lecturer made the assertion that, from a formal point of view
(as this was the standpoint of the entire course), ACLs and capabilities
are simply the dual of each other. The implication being that of course
they are somewhat equivalent.

I chose not to take up this debate, wisely I thought. However, the
course was written by, and has been taught by, some pretty respected
names in foundational (i.e. formal) aspects of security.

I honestly don't believe that the insights assembled in this paper are
common knowledge, especially amongst security traditionalists. They are
certainly not covered by any of the mainstream general texts on computer
security that would be used by any University security course.


The third reviewer clearly gets it. The fact that they scored it a weak
accept anyway indicates that Oakland must reject good papers.


The best way to address the "rhetoric" and "not enough 'raw meat'" style
comments would be to take an example of a real CSRF/Clickjacking flaw on
a real site. Explain the flaw, and then show how the system could be
reimplemented (easily) using webkeys to remove the flaw. Extra space
could be made to include this stuff by distilling the earlier
presentation of the confused deputy attack, which everyone (perhaps
surprisingly) does seem to be across.

Cheers

Toby

More information about the cap-talk mailing list