Abstract
Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which would create vulnerabilities. Analysis to date implicitly assumes access is controlled only by manipulating a system’s protection state – the arrangement of the access graph. Because of the limitations of this analysis, capability systems have been ”proven” unable to enforce some basic policies: revocation, confinement, and the *-properties (explained in the text).
In actual practice, programmers build access abstractions – programs that help control access, extending the kinds of access control that can be expressed. Working in Dennis and van Horn’s original capability model, we show how abstractions were used in actual capability systems to enforce the above policies. These simple, often tractable programs limited the rights of arbitrarily complex, untrusted programs. When analysis includes the possibility of access abstractions, as it must, the original capability model is shown to be stronger than is commonly supposed.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abelson, H., Sussman, G.: Structure and Interpretation of Computer Programs. MIT Press, Cambridge (1986)
Bell, D.E., LaPadula, L.: Secure Computer Systems. ESD-TR-83-278, Mitre Corporation, vI and II (November 1973), vIII (April 1974)
Bishop, M., Snyder, L.: The Transfer of Information and Authority in a Protection System. In: SOSP 1979, pp. 45–54 (1979)
Boebert, W.E.: On the Inability of an Unmodified Capability Machine to Enforce the *-Property. In: Proceedings of 7th DoD/NBS Computer Security Conference, September 1984, pp. 291–293 (1984), http://zesty.ca/capmyths/boebert.html
(Comments on [Miller03]) http://www.eros-os.org/pipermail/cap-talk/2003-March/ 001133.html
Cartwright, R., Fagan, M.: Soft Typing. In: Proceedings of the SIGPLAN 1991 Conference on Programming Language Design and Implementation (1991)
Chander, A., Dean, D., Mitchell, J.C.: A State-Transition Model of Trust Management and Access Control. In: Proceedings of the 14th Computer Security Foundations Workshop, June 2001, pp. 27–43 (2001)
Crockford, D.: Personal Communications (1997)
Dennis, J.B., Van Horn, E.C.: Programming Semantics for Multiprogrammed Computations. Communications of the ACM 9(3), 143–155 (1966)
Donnelley, J.E.: A Distributed Capability Computing System. In: Third International Conference on Computer Communication, Toronto, Canada (1976)
van Doorn, L., Abadi, M., Burrows, M., Wobber, E.P.: Secure Network Objects. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 211–221 (1996)
Fabry, R.S.: Capability-based addressing. Communications of the ACM 17(7), 403–412 (1974)
Goldberg, A., Kay, A.: Smalltalk-72 instruction manual. Technical Report SSL 76-6, Learning Research Group, Xerox Palo, Alto Research Center (1976), http://www.spies.com/~aek/pdf/xerox/alto/Smalltalk72_Manual.pdf
Gong, L.: A Secure Identity-Based Capability System. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 56–65 (1989)
Hardy, N.: The KeyKOS Architecture. ACM Operating Systems Review, pp. 8–25 (September 1985), http://www.agorics.com/Library/KeyKos/architecture.html
Hardy, N.: U.S. Patent 4,584,639: Computer Security System,
Harrison, M.A., Ruzzo, M.L., Ullman, J.D.: Protection in operating systems. Communications of the ACM 19(8), 461–471 (1976)
Hewitt, C., Bishop, P., Stieger, R.: A Universal Modular Actor Formalism for Artificial Intelligence. In: Proceedings of the 1973 International Joint Conference on Artificial Intelligence, pp. 235–246 (1973)
Jones, A.K., Lipton, R.J., Snyder, L.: A Linear Time Algorithm for Deciding Security. FOCS, 33–41 (1976)
Kahn, K., Miller, M.S.: Language Design and Open Systems. In: Huberman, B. (ed.) Ecology of Computation. Elsevier Science Publishers, North-Holland (1988)
Kain, R.Y., Landwehr, C.E.: On Access Checking in Capability-Based Systems. In: IEEE Symposium on Security and Privacy (1987)
Karger, P.A., Herbert, A.J.: An Augmented Capability Architecture to Support Lattice Security and Traceability of Access. In: Proc. of the 1984 IEEE Symposium on Security and Privacy, pp. 2–12 (1984)
Kelsey, R., Clinger, W., Rees, J. (eds.): Revised5̂ Report on the Algorithmic Language Scheme. ACM Sigplan Notices (1998)
Lampson, B.W.: A Note on the Confinement Problem. CACM on Operating Systems 16(10) (October 1973)
Miller, M.S., Bobrow, D.G., Tribble, E.D., Levy, J.: Logical Secrets. In: Shapiro, E. (ed.) Concurrent Prolog: Collected Papers. MIT Press, Cambridge (1987)
Miller, M.S., Krieger, D., Hardy, N., Hibbert, C., Tribble, E.D.: An Automatic Auction in ATM Network Bandwidth. In: Clearwater, S.H. (ed.) Market-based Control, A Paradigm for Distributed Resource Allocation. World Scientific, Palo Alto (1996)
Miller, M.S., Morningstar, C., Frantz, B.: Capability-based Financial Instruments. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, p. 349. Springer, Heidelberg (2001), http://www.erights.org/elib/capability/ode/index.html
Miller, M.S., Yee, K. -P., Shapiro, J. S.: Capability Myths Demolished, HP Labs Technical Report (in preparation), http://zesty.ca/capmyths/usenix.pdf
Morris, J.H.: Protection in Programming Languages. CACM 16(1), 15–21 (1973), http://www.erights.org/history/morris73.pdf
Motwani, R., Panigrahy, R., Saraswat, V., Venkatasubramanian, S.: On the Decidability of Accessibility Problems. AT&T Labs – Research, http://www.research.att.com/~suresh/Papers/java.pdf
Neumann, P.G., Boyer, R.S., Feiertag, R.J., Levitt, K.N., Robinson, L.: A Provably Secure Operating System: The System, Its Applications, and Proofs, CSL-116, Computer Science Laboratory, SRI International, Inc. (May 1980)
Parnas, D.: On the Criteria To Be Used in Decomposing Systems into Modules. CACM 15(12) (December 1972), http://www.acm.org/classics/may96/
Rajunas, S.A.: The KeyKOS/KeySAFE System Design. Key Logic, Inc., SEC009-01 (March 1989)
Redell, D.D.: Naming and Protection in Extendible Operating Systems. Project MAC TR-140, MIT (Ph. D. thesis.) (November 1974)
Rees, J.: A Security Kernel Based on the Lambda-Calculus. MIT AI Memo No. 1564. MIT, Cambridge (1996), http://mumble.net/jar/pubs/secureos/
Safra, M., Shapiro, E.Y.: Meta Interpreters for Real. In: Kugler, H.-J. (ed.) Information Processing 1986, pp. 271–278. North-Holland, Amsterdam (1986)
Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Sansom, R.D., Julian, D.P., Rashid, R.: Extending a Capability Based System Into a Network Environment. Research sponsored by DOD, pp. 265–274 (1986)
Saraswat, V., Jagadeesan, R.: Static support for capability-based programming in Java, http://www.cse.psu.edu/~araswat/neighborhood.pdf
Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: A Fast Capability System. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, December 1999, pp. 170–185 (1999)
Shapiro, J.S., Weber, S.: Verifying the EROS Confinement Mechanism. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, pp. 166–176 (2000)
Sitaker, K.: Thoughts on Capability Security on the Web, http://lists.canonical.org/pipermail/kragen-tol/2000-August/000619.html
Stiegler, M., Miller, M.: A Capability Based Client: The DarpaBrowser, http://www.combex.com/papers/darpa-report/index.html
Tanenbaum, A.S., Mullender, S.J., van Renesse, R.: Using Sparse Capabilities in a Distributed Operating System. In: Proceedings of 6th International Conference on Distributed Computing Systems, pp. 558–563 (1986)
Tribble, E.D., Miller, M.S., Hardy, N., Krieger, D.: Joule: Distributed Application Foundations (1995), http://www.agorics.com/joule.html
Van Roy, P., Haridi, S.: Concepts, Techniques, and Models of Computer Programming. MIT Press, Cambridge (in preparation), http://www.info.ucl.ac.be/people/PVR/book.html
Wagner, D., Tribble, D.: A Security Analysis of the Combex DarpaBrowser Architecture, http://www.combex.com/papers/darpa-review/index.html
Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible Security Architectures for Java. In: Proceedings of the 16th Symposium on Operating Systems Principles, pp. 116–128 (1997), http://www.cs.princeton.edu/sip/pub/sosp97.html
Wilkes, M.V., Needham, R.M.: The Cambridge CAP Computer and its Operating System. Elsevier North Holland, Amsterdam (1979)
Wulf, W.A., Cohen, E.S., Corwin, W.M., Jones, A.K., Levin, R., Pierson, C., Pollack, F.J.: HYDRA: The Kernel of a Multiprocessor Operating System. Communications of the ACM 17(6), 337–345 (1974)
Wulf, W.A., Levin, R., Harbison, S.P.: HYDRA/C.mmp: An Experimental Computer System. McGraw Hill, New York (1981)
Yee, K.-P., Miller, M.S.: Auditors: An Extensible, Dynamic Code Verification Mechanism, http://www.erights.org/elang/kernel/auditors/index.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Miller, M.S., Shapiro, J.S. (2003). Paradigm Regained: Abstraction Mechanisms for Access Control. In: Saraswat, V.A. (eds) Advances in Computing Science – ASIAN 2003. Progamming Languages and Distributed Computation Programming Languages and Distributed Computation. ASIAN 2003. Lecture Notes in Computer Science, vol 2896. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-40965-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-40965-6_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20632-3
Online ISBN: 978-3-540-40965-6
eBook Packages: Springer Book Archive