[E-Lang] Merits of ACLs

Karp, Alan alan_karp@hp.com
Thu, 1 Feb 2001 12:25:25 -0800 

In my reading of the early literature on capability systems, e.g., Dennis
and van Horn, I understood that performance was the primary reason that ACLs
won out.  I also believe that some of the early hardware implementations
described in Levy's book were poor in either performance or scalability.

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
 

> -----Original Message-----
> From: daw@mozart.cs.berkeley.edu [mailto:daw@mozart.cs.berkeley.edu]
> Sent: Wednesday, January 31, 2001 10:48 PM
> To: e-lang@eros-os.org
> Subject: Re: [E-Lang] Merits of ACLs
> 
> 
> Thank you very much for your careful explanation!  Your
> note forms one of the most cogent analyses of the issues
> with ACL systems that I've ever had the pleasure to read.
> 
> I agree that choosing to group processes by "users" seems to
> be both extremely widespread in existing implementations as well
> as very problematic for delegation.  It is this choice of an
> equivalence class that causes many of the problems in typical
> implementations of ACL systems.
> 
> If I understand correctly, the introduction of the equivalence
> class on subjects seems to have been motivated by performance:
> it is probably unrealistic to try to store the entire access
> control matrix without compression, because it would become too
> large.  The problem is that the equivalence relation chosen was
> too coarse.
> 
> In this context, I find the work on `domain and type enforcement'
> (DTE) of interest.  Roughly speaking, `domains' are an equivalence
> class on subjects (processes), and `types' are an equivalence class
> on objects; then, rather than storing the whole access control
> matrix, one simply stores access rights for each (domain,type) pair.
> (There is also extra stuff tacked on that I haven't described.)
> Note that DTE implementations do seem to avoid some of the problems
> associated with grouping processes by "users".
> 
> Also, now that I've read your analysis, I am led to wonder whether
> the design decisions in Unix-like operating systems may not have
> been made based on performance more than security.  Consider:
> if subjects (processes) come and go rapidly, you want to store
> access rights with the subjects, so that when subjects are destroyed
> it is easy to deallocate the corresponding access rights.  In 
> contrast,
> if objects come and go whereas subjects are fairly stable, you want
> to store access rights with objects (again, purely on performance
> grounds).  I find it interesting that, in a Unix-like formulation,
> it is indeed objects ("files") that appear and disappear on much
> shorter time-scales than the subjects (accounts in /etc/passwd).
> One might speculate that these performance considerations were the
> real reason Unix's ACL-based protection model looks the way it does.
> Could it be?
> 
> Thank you again for taking the time to share your insights.
> I found them truly educational and eye-opening.
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>