Paradigm Regained Abstraction Mechanisms for Access Control - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Paradigm Regained Abstraction Mechanisms for Access Control

Description:

Modularity, abstraction, security addressed as one fabric ... Detour is Non-Object Causality. Safe. Reflection. Scheme W7 E. Mutable Static State ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 31
Provided by: marksm4
Category:

less

Transcript and Presenter's Notes

Title: Paradigm Regained Abstraction Mechanisms for Access Control


1
Paradigm RegainedAbstraction Mechanisms for
Access Control
Mark S. Miller Virus-Safe Computing
Initiative Hewlett-Packard Labs
2
Paradigm LostInfluential impossibilities,
ignored existence proofs
  • 1965 Dennis Van Horns Supervisor
  • Modularity, abstraction, security addressed as
    one fabric
  • 1974 Redells revocable delegation pattern
  • Still impossible in 2003
  • 197x Lampsons Cal-TSS, Protection, Confinement
  • Formal model of access control widely
    misunderstood
  • 198x KeyKOS does Confinement, -property,
  • Patterns built only on elements available in DVH
  • 1984 Boeberts Inability -property
  • Award winning fixes 86, 89, 97, Wide
    influence
  • Whats going on?
  • Permissions vs. authority, fantasies of central
    control

3
Paradigm LostUnchallenged Myths
  • On the Inability of an Unmodified Capability
    Machine to Enforce the -Property (1984)
  • ... an unmodified or classic capability system
    cannot ... solve the confinement problem (1986)
  • Since a capability is just a bit string, it can
    propagate in many ways without the detection of
    the kernel or the server... (1989)
  • Capability systems modeled as unforgeable
    references present the other extreme, where
    delegation is trivial, and revocation is
    infeasible (2003)
  • Capabilities vs. ACLs rows vs. columns
  • Capabilities are tickets or keys
  • Capabilities are discretionary

4
The Sad Result
5
Functionality vs. Security?
Applications Users Authority
Integratable
Usable POLA Dynamic Least Authority
static sandboxing
Firewalls
Applets No Authority
Isolated
Safe
Dangerous
6
CapDesk/Polaris Usable POLA
  • Double click launch
  • File Explorer
  • Open dialog
  • Drag/Drop
  • Etc...

Moral Bundle permission with designation
7
A Tale of Two Copies
  • cp foo.txt bar.txt
  • vs.
  • cat lt foo.txt gt bar.txt
  • Bundle permission with designation
  • Let knowledge of shape access to
  • Remove ambient authority

8
Object-Capabilities
Alice says bob.foo(carol)
  • Inter-object causality only by sending messages
    on references
  • Reference graph Access graph
  • Only connectivity begets connectivity.

9
Object-Capability Languages
  • Gedanken (1970), Actors (1973),
  • Eden (1985), Vulcan (1986),
  • Emerald (1987), Trusty Scheme (1992),
  • W7 (1995), Joule (1996),
  • Original-E (1997), E (1998),
  • J-Kernel (1999), Oz-E (2005),
  • Joe-E (2005), CaPerl (2006),
  • Emily (2006)

10
Objects as Closures
  • def makePoint
  • to run(x int, y int)
  • def point
  • to getX() return x
  • to getY() return y
  • to add(otherPt)
  • return makePoint.run(x.add(otherPt
    .getX()),

  • y.add(otherPt.getY()))
  • return point
  • or, with a bit of sugar
  • def makePoint(x int, y int)
  • def point
  • to getX() return x
  • to getY() return y
  • to add(otherPt)
  • return makePoint(x otherPt.getX(),
  • y
    otherPt.getY())

11
Unattenuated Delegation
Alice says bob.foo(carol)
12
Redells 1974 Caretaker Pattern
Alice says def carol2, carol2revoker
makeCaretaker(carol)
bob.foo(carol2)
  • def makeCaretaker(var target)
  • def caretaker
  • match verb, args
  • E.call(target, verb, args)
  • def revoker
  • to revoke()
  • target null
  • return caretaker, revoker

13
Cant Revoke Permissions, but...
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
14
... Can Revoke Authority
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
15
No Permissions Were Revoked
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
16
Paradigm Regained Access Abstractions
Bob says carol2.doThis(...)
Alice says carol2revoker.revoke()
Bob says carol2.doThat(...)
  • Caretaker is smart ref
  • Alice uses behaviour to express policy
  • Further limits Bobs authority
  • Tighter POLA

17
Controlling Delegation
18
Perimeter Security
19
Confinement
20
Confused Deputy
21
Communicating Conspirators
22
The 4 Delegation Problems
Bob on Alice's Side Bob on Mallet's Side
Bob Mallet may not speak Perimeter Security Confinement
Bob Mallet may speak Confused Deputy Communicating Conspirators
23
Overt Confinement
  • def Factory, makeFactory
  • interface Factory guards FactoryStamp
  • def makeFactory(code String) Factory
  • def factory implements FactoryStamp
  • to new(state)
  • return eval(code, state)
  • return factory
  • Factory, makeFactory

24
The Impossible -Properties
  • to acceptProduct(calcFactory Factory)
  • var diode int 0
  • def writeDiode(val int) diode val
  • def readDiode () return diode
  • def q calcFactory.new(writeUp gt
    writeDiode, )
  • def bond calcFactory.new(readDown gt
    readDiode, )

25
Communicating Conspirators
26
What Permissions Were Granted?
What if Alice couldnt permit Bob to access Carol?
  • By practicing POLA, as she should, Alice
    inadvertently thwarts prohibitions intent.
  • Policy ignores Alices possible behaviour
  • Shes only authorizing Bob.
  • Limiting permissions alone is mostly pointless

27
Alice pays Bob
def payment myPurse lt- makePurse() payment lt-
deposit(10, myPurse) bob lt- buy(..., payment)
when (payment) -gt when (myPurse lt-
deposit(10, payment)) -gt ... dispense
value
buy
makePurse
mint
10
namesealerunsealer
100
200
90
210
28
Distributed Secure Money in E
  • def makeMint(name String)
  • def sealer, unsealer makeBrandPair(name)
  • def mint
  • to makePurse(var balance (int gt 0))
  • def decr(amount (0..balance))
  • balance - amount
  • def purse
  • to getBalance() return balance
  • to makePurse() return
    mint.makePurse(0)
  • to getDecr() return
    sealer.seal(decr)
  • to deposit(amount int, src)
  • unsealer.unseal(src.getDecr())
    (amount)
  • balance amount
  • return purse
  • return mint

No explicit crypto
29
Roadmap, in Hindsight
What about Security?
Scheme
W7 E
POLA
Objects
Lexical Nesting
Message Passing, Encapsulation
Object-Capabilities
SafeReflection
Safe Loading
Memory Safety, GC, Eval / Loading
Virus-Safe Computing
Mutable Static State Static Native
Devices Unprincipled Libraries
What about Security?
Oak, pre.NET
No problemo
ClassLoaders as Principals Stack
Introspection Security Managers
Signed Applets
Java, .NET
30
Detour is Non-Object Causality
Scheme W7 E
Message Passing, Encapsulation
Lexical Nesting POLA
Objects
Object-Capabilities
SafeReflection
Memory Safety, GC, Eval / Loading Safe
Loading
Mutable Static State Static Native
Devices Unprincipled Libraries
What about Security?
Oak, pre.NET
No problemo
ClassLoaders as Principals Stack
Introspection Security Managers
Signed Applets
Java, .NET
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Paradigm Regained Abstraction Mechanisms for Access Control" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!