Re: feasibility of principal-based access control shapj@us.ibm.com
Tue, 6 Jul 1999 08:52:10 -0400

The answer is: you cannot, with or without confinement. First, just to get the terms straight, I assume that what you meant was:

>Without confinement,
>how is the statement that "A wrote **X**" supposed to be recorded in the
>case of colluding A and B?

That is, "A" and "B" are principals, and "X" is an object. Assume, for the sake of discussion, that you could hand to A a unique capability stamped "a" (i.e. stamped with something recognizable as a principal id). You can now design your system in one of two ways:

  1. Anyone can use a capability, regardless of stamp.
  2. To use a capability, it must have your stamp. Let us assume for a moment that we can successfully stamp processes with user identities. I'm not sure we can, but let's take it as a working assumption to see if stamping the capabilities will help.

Since "A" can always construct a proxy object for X, and hand B a capability to the proxy object, the second case is in practice no different from the first. [This is the fundamental argument *against* a "do not copy" bit in the capability representation.]

Therein lies the rub. You can record anything you want in the audit trail, but given a record in the audit trail of the form "A wrote X", you don't really know that it is true. The best you can know is that "X was written using a capability stamped 'a'". What this tells you is that either:

  1. A built a proxy for B
  2. A gave the capability to B (intentionally)
  3. A was tricked or enticed or otherwise *mistakenly* gave the capability to B.
  4. A was tricked or enticed or otherwised induced to *use* the capability on behalf of B.
  5. A really used the capability on their own behalf.

So basically, there is no way to know what the administrator would like to know.

Confinement doesn't really help. Confinement allows one user's agent (i.e. some program that is a client of the confinement box) to control where the information within the confinement box goes, but it does not prevent *that user* from disclosing things or inserting into the confinement box capabilities by which the confinement box can disclose things directly; the confinement contract is an *initial* contract; it's continuance depends on the actions of the client.

Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595

Dave Long <dl@silcom.com> on 07/06/99 02:10:16 AM

To: Jonathan S Shapiro/Watson/IBM@IBMUS cc:
Subject: Re: feasibility of principal-based access control

I'm not sure I understand your question.

In a system with confinement, I can see how one could capture an audit trail of all communication between domains, and postprocess the audit to determine if policies were met. Without confinement, how is the statement that "A wrote B" supposed to be recorded in the case of colluding A and B?

-Dave