Capability Theory by Sound Bytes

a thoughtful web.

Good ideas and conversation. No ads, no tracking. Login or Take a Tour!

lowfatcomputing · 3216 days ago

cap-lore.com · #capabilities · #security

There's an important difference that give capabilities very fine granularity that we don't have with ACLs (Access Control Lists).

The idea is to remove the ambiguity inherent in the ACL security model which is the Whac-a-Mole source of security issues that is the Confused Deputy Attack.

"When checking out at a grocery store, the cashier will scan the barcode of each item to determine the total cost. A thief could replace barcodes on his items with those of cheaper items. In this attack the cashier is a confused deputy that is using seemingly valid barcodes to determine the total cost."

To fix this you would want to bundle together the designation of an object (barcode with groceries) and the permission to access that object (ability to scan it at the cash register). One way achieve this could be to hash the grocery-store item definition and the ability to scan it (i.e. two function definitions) with a secret number. This makes the barcode unforgeable because it will only work if the barcode/hash provided with your groceries matches the barcode/hash computed by hashing the groceries' definition with a secret number held by the cashier.

With Object Capabilities you have no designation without authority, so in contrast to ACLs the permissions are bound to the groceries and not just to the cashier. Therefore there is no confusion/ambiguity as to where the arrow should point to.

In short, rights (e.g. function definition) are associated with the invoker, not the resource.

---------------

Capabilities are created only when the system is first built. After that references can be obtained transitively and such:

"The security model relies on not being able to forge references. Objects can interact only by sending messages on references. A reference can be obtained by:

initial conditions: In the initial state of the computational world being described, object A may already have a reference to object B.

parenthood: If A creates B, at that moment A obtains the only reference to the newly created B.

endowment: If A creates B, B is born with that subset of A's references with which A chose to endow it.

introduction: If A has references to both B and C, A can send to B a message containing a reference to C. B can retain that reference for subsequent use."

tweet · print · htmlmarkup tips · 0