[cap-talk] "ACLs don't" paper rejected from Oakland 09

Tyler Close tyler.close at gmail.com
Thu Jan 29 12:53:31 EST 2009 

Hi Toby,

That's a very interesting anecdote from the Oxford course. Thanks for
sharing it.

I was wondering if you were better able to follow the paper references
that reviewer #31C made:

""
It is true the Protection paper didn't discuss on the fundamental
differences between ACL and capabilities. However, many subsequent
papers, many of which on this symposium (e.g. IBAC, KeykoS, OASIS,
etc.),
discuss extensively on the difference, in particular when it's matter
of delegation.
"""

Do you know what specific papers are referenced there?

I was also wondering what to make of the comments on delegation:

"""
I am also surprised that delegation was barely mentioned in the paper
since most of the problems outlined seem to boil down to: 1) hidden
delegation while it should be made explicit to make evident when the
Compiler act on behalf of a User (which user and on which file). 2)
Use of ACLs instead of capabilities to implement this delegation.
"""

I thought the early section on the access matrix made it clear that
the delegation in the ACL model is explicit, just not implemented
correctly. Permissions are added to the access matrix explicitly; it's
just that the subsequent lookups against this table are wrong.
Similarly confused about point 2).

Thanks,
--Tyler


On Thu, Jan 29, 2009 at 10:30 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> On Wed, 2009-01-28 at 18:57 -0800, Tyler Close wrote:
>> I've put the oakland09 submission, rejection email, and my updated
>> version of the paper at:
>>
>> http://waterken.sourceforge.net/aclsdont/
>>
>
> Looking at the reviewers' comments:
>
>
>> Obviously it is commonly agreed that "the view presented in the
>> Protection paper that ACLs and capabilities are merely different
>> implementation choices for a single access model embodied by the
>> access matrix is incorrect."
>
> ...
>
>> I would assume that any serious system security course would touch on
>> most of them in its AC section.
>
> I took the Oxford course on Computer Security in my first year here as a
> grad student. I distinctly remember the lecture on access control in
> which the lecturer made the assertion that, from a formal point of view
> (as this was the standpoint of the entire course), ACLs and capabilities
> are simply the dual of each other. The implication being that of course
> they are somewhat equivalent.
>
> I chose not to take up this debate, wisely I thought. However, the
> course was written by, and has been taught by, some pretty respected
> names in foundational (i.e. formal) aspects of security.
>
> I honestly don't believe that the insights assembled in this paper are
> common knowledge, especially amongst security traditionalists. They are
> certainly not covered by any of the mainstream general texts on computer
> security that would be used by any University security course.
>
>
> The third reviewer clearly gets it. The fact that they scored it a weak
> accept anyway indicates that Oakland must reject good papers.
>
>
> The best way to address the "rhetoric" and "not enough 'raw meat'" style
> comments would be to take an example of a real CSRF/Clickjacking flaw on
> a real site. Explain the flaw, and then show how the system could be
> reimplemented (easily) using webkeys to remove the flaw. Extra space
> could be made to include this stuff by distilling the earlier
> presentation of the confused deputy attack, which everyone (perhaps
> surprisingly) does seem to be across.
>
> Cheers
>
> Toby
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list