[cap-talk] Myth about the expressiveness of Lampson's access matrix (was: "Ambient capability")
David-Sarah Hopwood
david-sarah at jacaranda.org
Sat Jul 11 01:30:58 EDT 2009
Rob Meijer wrote:
[...]
> AppArmor might be the real example, being a system that is documented by
> its creators to be an ambient capability system:
>
> [quote]
> Consider Lampson's classic access control matrix, where you have all
> your subjects (processes doing the operations) across one edge, and all
> your objects (files and processes being operated on) along the other
> edge, and the matrix cells contain permitted operations. Lampson's
> matrix is the maximally expressive form of access control, [...]
This myth is not true, and needs to be actively combatted. Any statement
that the access matrix model is "maximally expressive" is simply fuzzy
thinking, since the model does not consider aspects of a protection system
that are critical to its expressiveness. As I said when removing a similar
statement from Wikipedia's 'Access Control Matrix' article:
<http://en.wikipedia.org/wiki/Talk:Access_Control_Matrix>
Removed:
"It is the most general description of operating system protection mechanism
[reference to Landwehr 1981]"
The access matrix model is not the most general possible description of a
system's protection state, and doesn't try to be a description of any
protection *mechanisms* at all.
Presumably the reference is to this sentence from Landwehr's paper:
"The access matrix model, described in detail below, was developed in the
early 1970s as a generalized description of operating system protection
mechanisms."
First, "generalized" is certainly not the same thing as "most general".
[or "maximally expressive"].
Second, Landwehr's statement is wrong, or at least misleading. The access
matrix is an abstraction of the instantaneous direct permissions that
subjects have to objects. This does not capture all of the protection state;
for instance, in a capability system, the access matrix shows whether each
subject holds a capability to each object, but not which variable(s) those
capabilities are held in. Therefore, two system states can have exactly the
same access matrix, but one of those states can be secure while the other is
insecure (according to some criteria). Critically, the access matrix also
does not capture how permissions can change.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list