Capability Systems Capability Systems Literature Review Seminar Yining Zhao 11th Jan 2010 1 Capabilities: Introduction Capabilities: Introduction � What is meant by capabilities? � Traditional access control: ACL � Capabilities: Unforgeable keys to gain access control possessed by subjects (users or processes) � Like a ticket verification [Linden76] � Contains a set of rights, to be checked when accessing addressed resources [Kain87] 2
Capabilities: Introduction Capabilities: Introduction � The original invention: DVH Supervisor [DVH66] � From Dennis and Van Horn’s Multiprogrammed Computations � Helps to provide protections for multi-processes 3 Capabilities: pros and cons Capabilities: pros and cons � Advantages � No longer ‘fixed’ to resources � Kernel only checks validity [Levy84] � More dynamic when changing agents [Miller03] 4
Capabilities: pros and cons Capabilities: pros and cons � But... The infinite ACL vs. Capability debate � There are more resources than users, thus huge number of capabilities [KGBG03] � Confinement problem [Lampson73] � Revocation problem [Gong89, KGBG03] 5 Miller’ ’s Arguments s Arguments Miller � A simpler domain-target structure [Miller03] Resource1 Resource2 Alice accessible accessible Bob accessible Carol accessible A table view of access control People used to believe the difference between ACLs and capabilities is only in the way you look at it. 6
Miller’ ’s Arguments s Arguments Miller � A simpler domain-target structure [Miller03] Resource Resource Alice 1 Alice 1 Resource Resource Bob Bob 2 2 ������������ ������������������� Carol Carol User Reference Capability Reference Resource Reference 7 Miller’ ’s Arguments s Arguments Miller � *-property [Boebert84] � The Arena [Miller06] Figure 9.1 in [Miller06] 8
Miller’ ’s Arguments s Arguments Miller � Gate for Revocation: ACL approach or not? � Capability side [Miller06] � ACL side [Boebert03] Figure 9.2 in [Miller06] 9 Uses of Capabilities Uses of Capabilities � Operating Systems [Levy84] � EROS: as good as LINUX? [Shapiro99] Figure 11 in [Shapiro99] Linux in dark gray EROS in lighter gray 10
Uses of Capabilities Uses of Capabilities � Memory management � Using capabilities to supports region-based memory management [Walker00] � Capability represented as: a pair { α : θ }, where α represents a region in memory, while θ describes the type of the structure in that region. [CP08] 11 Uses of Capabilities Uses of Capabilities � Distributed systems � Open systems, where nodes join and leave system frequently � LINDA [Wood99] � µKLAIM [Gorla09] 12
Multicapabilities Multicapabilities � Matching patterns rather than single object [Udzir06] � Contributions � Garbage Collection � Deadlock Breaking � Private Channel 13 Conclusion and Future Work Conclusion and Future Work � An abstract access control mechanism � Benefits in distributed open environment � Behaviours: the Direction? 14
Thank you! Thank you! � Questions? � Email: hopezhao@cs.york.ac.uk 15 References References [Boebert84] W. E. Boebert, “On the Inability of an Unmodified Capability Machine to Enforce � the *-property”, In Proc, 7th DoD/NBS Computer Security Conference, pages 291--293, Gaithersburg MD USA, September 1984, National Bureau of Standards. http://www.erights.org/elib/capability/duals/boebert.html (Read in Dec 2009) [Boebert03] Earl Boebert. Comments on Capability Myths Demolished, 2003. � http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html (Read in Nov 2009) [CP08] Arthur Charguéraud, Françios Pottier, “Functional Translation of a Calculus of � Capabilities”, SIGPLAN Notices, 43(9):213--224, 2008 � [DVH66] Jack B. Dennis, Earl C. Van Horn, “Programming Semantics for Multiprogrammed Computations”, Communications of the ACM, 9(3):143-155, March 1966. [Gong89] Li Gong, “A Secure Identity-Based Capability System”, Proceedings of 1989 IEEE � Symposium on Security and Privacy, pages 56—63, 1989 � [Gorla09] Daniele Gorla, Rosario Pugliese, “Dynamic management of capabilities in a network aware coordination language”, Journal of Logic and Algebraic Programming, 78(8):665—689, 2009. [Kain87] Richard Y. Kain, Carl E. Landwehr, “On Access Checking in Capability-Based � Systems”, IEEE Transactions on Software Engineering, SE13(2), February 1987. � [KGBG03] A.H. Karp, G.J. Rozas, A. Banerj, R. Guptai, “Using Split Capabilities for Access Control”, IEEE Software, 20(1):42—49, January 2003. [Levy84] Henry M Levy, “Capability-Based Computer Systems”, Digital Press, 1984. � http://www.cs.washington.edu/homes/levy/capabook/ (Read in Oct 2009) 16
References References � [Lampson73] Butler W. Lampson, “A Note on the Confinement Problem”, Communications of the ACM, 16(10):613--615, 1973. [Linden76] Theodore A. Linden, “Operating System Structures to Support Security � and Reliable Software”, ACM Comput. Surv., 8(4):409—445, 1976. � [Miller03] Mark Miller, Ka-Ping Yee, Jonathan Shapiro, “Capability Myths Demolished”, Systems Research Laboratory, Johns Hopkins University, 2003. � [Miller06] Mark Samuel Miller, “Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control”, PhD Thesis, Johns Hopkins University, 2006. [Shapiro99] Jonathan S. Shapiro, Jonathan M. Smith, David J. Farber, “EROS: a � fast capability system”, Symposium on Operating Systems Principles, pages 170-- 185, 1999. [Udzir06] N.I Udzer, “Capability-Based Coordination For Open Distributed � Systems”, PhD Thesis, University of York, 2006. [Walker00] David Walker and Karl Crary and Greg Morrisett, “Typed Memory � Management in a Calculus of Capabilities”, ACM Transactions on Programming Languages and Systems, 2000 [Wood99] Alan Wood, “Coordination with Attributes”, Proc. 3 rd International � Conference COORDINATION '99, Lecture Notes in Computer Science 1594, pages 21--36, 1999. 17
Recommend
More recommend
