Why Capabilities and Persistence are Essential

hal@finney.org hal@finney.org
Thu, 11 Nov 1999 23:52:05 -0800

I see the distinction between mandatory and discretionary policies as
having both a social and a technical component.

Socially, mandatory policies are those applied by the system designers,
owners, and managers, on the ordinary users of the system.  Discretionary
policies are then ones which the users can apply against the programs
they invoke.

It is common in human society to have a two-tiered organizational
structure.  We have management vs labor, employer vs employees, owner
vs users, officers vs enlisted men.  The mandatory policies reflect this
structure by allowing the rule makers to enforce what the rule followers
can do.

Of course there are usually more than two tiers in human society, but
I think in the security case it turns out that two are usually enough,
and adding more will complicate the analysis.  At PGP we recently went
through a FIPS-140 certification of our crypto SDK, and we had to try to
shoehorn our library into a certification framework based on this kind
of two-role access to the crypto module.  (It wasn't a very good fit.)

In the technical sense, mandatory policies are applied system-wide and
are relatively static.  Discretionary policies are available to users
and must be able to be applied flexibly and on an as-needed basis.

>From the point of view of a program or process, it doesn't really care
what the structure is of the limitations imposed on it from the outside.
It may limited by system-wide mandatory policies, or by user-imposed
discretionary policies.  It doesn't matter.

What does matter is that systems which lack the ability to provide either
of mandatory or discretionary policies will be limited in the security
they can provide.

A system with discretionary policies is one in which privilege may
be reduced when it is delegated.  This might apply not only to users,
who can invoke programs with less than their full privileges, but also
to programs as well, when they invoke other programs.  I think this
limitation of power is the essence of discretionary security policy.
Without this kind of discretion, every program runs with the full
authority of its invoker, inviting abuse.

In the other direction, a system with only discretionary limitations
but no mandatory ones would be one in which all users had access to
the full power of the machine, and only limited themselves voluntarily.
This is more a social problem than a technical one, but it is important
nevertheless for users to have the ability to protect themselves and
their work from access by others who may be sharing resources.

Capability systems, from what I understand, would be very flexible in
discretionary limitation of delegated authority.  This is pretty hard
to do on Unix systems, but presumably there are other systems which are
designed to facilitate this kind of limitation.