[cap-talk] "ACLs don't" paper rejected from Oakland 09

Tyler Close tyler.close at gmail.com
Sat Jan 31 09:48:51 EST 2009

On Fri, Jan 30, 2009 at 9:38 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> On Fri, 2009-01-30 at 09:13 -0800, Tyler Close wrote:
>>  ACLs
>> arrived along with the claim that the access matrix was the "one true
>> model of access control", meaning ACLs and capabilities were
>> semantically equivalent. Now, I would have thought that in order to
>> make a claim that two algorithms are equivalent, you'd have to provide
>> some proof that their outputs are also always equivalent. No such
>> proof was ever attempted or demanded for the access matrix claim.
> The equivalence between ACLs and Capabilities has usually been stated in
> contexts where the rules for updating the ACLS or for capability
> propagation are unspecified, no?.

The Protection paper did specify rules for adding entries to the
access matrix, but the equivalence claim is independent of these

>>  As
>> I've shown in "ACLs don't", the outputs are not equivalent and so the
>> equivalence claim is ridiculous (AFAIK, no other paper has ever put
>> these two things together).
> Two points: are the arguments in "ACLs don't" predicated on any set of
> rules for permission propagation, no matter how sound or representative?
> (such a rule might be "you can pass a capability only to another subject
> that you possess a capability to that allows you to pass such a
> capability to it". While sound, representative and useful, if the
> arguments about any inequivalence require such a rule, then they don't
> necessarily violate the equivalence claims.

No part of the Confused Deputy attack relies on either systems
(in)ability to confine any of the involved principals, so rules
restricting delegation are not relevant to the attack.

> I think that CapMyths was the first to argue that ACLs and capabilities
> are not equivalent. How do the claims in "ACLs don't" differ from those
> in CapMyths? (I really need to re-read "ACLs Don't"..)

CapMyths did argue that ACLs and capabilities are not equivalent, but
it did not do this by pointing out that the outputs are different.
Consequently, some of the reviewers were unconvinced by the argument.
In the Related Work section of "ACLs don't", I write:

This paper (CapMyths) also presented a refutation
of the claimed equivalence of the ACL and capability
models. This refutation pointed out the need for a
global namespace for both principals and objects in
the ACL model, where only local namespaces are used
in the capability model. Though the paper separately
discusses the Confused Deputy problem, the refutation
of equivalence does not point out the differences in
access decisions made by the two models, or how
this semantic difference arises.


More information about the cap-talk mailing list