[cap-talk] "ACLs don't" paper rejected from Oakland 09

[Tyler Close]

Comments inline below...

On Sat, Jan 31, 2009 at 2:52 AM, David Wagner <daw at cs.berkeley.edu> wrote:
> Tyler Close  wrote:
>> If it is true that it is hard to publish a paper that only evaluates
>> existing mechanisms, rather than proposing new mechanisms, that would
>> go a long way towards explaining why poor mechanisms survive and
>> thrive for so long in this field once they take hold.
>
> Interesting.  I'd never thought about it this way before, but I
> suspect there may be a good bit of truth to that.
>
> There are some cases where critiques get published.  If you manage to
> break the security of a published scheme, it is often possible to publish
> the break.  (There are some restrictions: if you send the break to the
> same conference where the original paper appeared, within a reasonable
> time period after it appeared, most conferences will more or less feel
> an obligation to publish the break.  But if you send it anywhere else,
> if the ideas found in the attack are not of independent interest, the
> break paper might get rejected with a note to send it to the original
> conference that was foolish enough to publish the broken scheme.)
>
> If you find a show-stopping problem in an important scheme, in some
> cases you may be able to publish that, especially if your analysis has
> substantial technical depth, your analysis techniques are of independent
> interest, or the scheme is of extraordinary importance.

For "ACLs don't", I am claiming qualification under the category:
"multiple show-stopping problems in a scheme of extraordinary
importance".

...

>> Once a mechanism
>> has been published, it is effectively beyond reproach.
>
> Well, I wouldn't go that far.
>
> Just because something is published in the literature doesn't mean
> it's right, let alone beyond reproach.  Crappy schemes are published
> in the literature all the time -- and experienced researchers know it.
> So I'd expect that knowlegeable folks should know that just because a
> mechanism is published doesn't necessarily mean it's any good.
>
> Basically, conferences publish what researchers think is interesting.
> If you found a serious and subtle flaw in a very important and recent
> scheme, and the flaw has important implications for the field, folks
> are likely to think that's interesting and publishable.

How about serious errors in the security model underpinning most past
and recent work? No love there?

>  But we could
> go pick through the literature of three decades ago and find dozens
> of examples of sloppy reasoning, stuff that in retrospect is wrong or
> poorly justified, and so on.  That doesn't mean top conferences are
> going to publish corrections to some paper from three decades ago.

Lampson's "Protection" isn't just any paper though. It has pervasive
influence. The "ACLs don't" paper points out this continued influence
in papers published recently. The ACL model is the dominant access
control model in computer security. This is a far different case than
some problem with some random paper from three decades ago that no one
relies on anymore.

>> It certainly seems like this is the case with ACLs. For example, ACLs
>> arrived along with the claim that the access matrix was the "one true
>> model of access control", meaning ACLs and capabilities were
>> semantically equivalent.
>
> Does anyone really care about this claim any more?

That's not my main point. My main point is that the whole ACL model is
broken. People need to care about that. I'm only talking about the
equivalence claim to show just how poorly studied the ACL model is.
The fundamental theory underlying most of computer security has not
been subjected to adequate evaluation. Consequently, there are massive
holes in the foundation.

...

>> Now, I would have thought that in order to
>> make a claim that two algorithms are equivalent, you'd have to provide
>> some proof that their outputs are also always equivalent. No such
>> proof was ever attempted or demanded for the access matrix claim. As
>> I've shown in "ACLs don't", the outputs are not equivalent and so the
>> equivalence claim is ridiculous (AFAIK, no other paper has ever put
>> these two things together). And I really mean 'ridiculous'. If one of
>> the claims about a mechanism is so blatantly erroneous, and yet
>> survives for so long, it is a strong indication that the mechanism
>> itself, and its other claims, have never been subjected to serious
>> evaluation.
>
> I guess I don't buy this argument, in this strong form.  Are you
> assuming that the average researcher who picks up a 30-year old paper
> will take for granted every claim made in that paper, unless there
> is some subsequent publication that convincingly disproves the claim?
> That's not how it works.  Pick a random security paper from 30 years ago,
> and I suspect you'll find all sorts of bogus stuff.  Nobody takes those
> papers as the word of god -- at least I hope they don't!

If they are still teaching the equivalence claim at Oxford today, I
take that as a strong indication that evaluation of the ACL model
hasn't progressed past even the superficial smell test.

Again, we're not talking about some random paper. We're talking about
the dominant security model in the field.

> I suspect the reason why many current systems are built using ACLs is
> not because of a failure to publish a disproof of the equivalence claim.
> I suspect that the reason why many new systems rolled out today use ACLs
> is inertia: systems builders are familiar with the ACLs approach and feel
> comfortable with it; legacy systems they need to integrate with use ACLs;
> and users have become accustomed to ACL systems.  All of these factors
> make it difficult to swim against the stream.

A good reason to introduce some discomfort by pointing out that
reliance on the ACL model is a significant liability. Moreover, the
"ACLs don't" paper makes the case that you cannot possibly solve
multi-party access-control problems using only ACLs. You have to do
something else, or you are vulnerable. These system builders are being
sent on a fool's errand if all they have in their toolbox is an ACL
system.

> Change is hard.  It can be frustrating.

That the research community would be a hindrance to change, rather
than a tool for change, is a significant disappointment. In this case,
the Oakland conference is a roadblock in trying to fix serious
problems, not an avenue for progress. Sigh.

--Tyler