Capability Systems Capability Systems Literature Review Seminar - - PDF document

Capability Systems Capability Systems

Literature Review Seminar Yining Zhao 11th Jan 2010

1

Capabilities: Introduction Capabilities: Introduction

What is meant by capabilities?

Traditional access control: ACL Capabilities: Unforgeable keys to gain access

control possessed by subjects (users or processes)

Like a ticket verification [Linden76] Contains a set of rights, to be checked when

accessing addressed resources [Kain87]

2

Capabilities: Introduction Capabilities: Introduction

The original invention: DVH

Supervisor [DVH66]

From Dennis and Van Horn’s Multiprogrammed

Computations

Helps to provide protections for multi-processes

3

Capabilities: pros and cons Capabilities: pros and cons

Advantages

No longer ‘fixed’ to resources Kernel only checks validity [Levy84] More dynamic when changing agents [Miller03]

4

Capabilities: pros and cons Capabilities: pros and cons

But... The infinite ACL vs. Capability

debate

There are more resources than users, thus huge

number of capabilities [KGBG03]

Confinement problem [Lampson73] Revocation problem [Gong89, KGBG03]

5

Miller Miller’ ’s Arguments s Arguments

A simpler domain-target structure

[Miller03]

Resource1 Resource2 Alice accessible accessible Bob accessible Carol accessible

A table view of access control

People used to believe the difference between ACLs and capabilities is only in the way you look at it.

6

Miller Miller’ ’s Arguments s Arguments

A simpler domain-target structure

[Miller03]

Alice Bob Carol Resource 1 Resource 2

• User Reference

Resource Reference

Alice Bob Carol Resource 1 Resource 2

• Capability Reference

7

Miller Miller’ ’s Arguments s Arguments

*-property [Boebert84] The Arena [Miller06]

Figure 9.1 in [Miller06]

8

Miller Miller’ ’s Arguments s Arguments

Gate for Revocation: ACL approach or

not?

Capability side

[Miller06]

ACL side

[Boebert03]

Figure 9.2 in [Miller06]

9

Uses of Capabilities Uses of Capabilities

Operating Systems [Levy84]

EROS: as good as LINUX?

[Shapiro99]

Figure 11 in [Shapiro99] Linux in dark gray EROS in lighter gray

10

Uses of Capabilities Uses of Capabilities

Memory management

Using capabilities to supports region-based

memory management [Walker00]

Capability represented as: a pair {α : θ}, where α

represents a region in memory, while θ describes the type of the structure in that region. [CP08]

11

Uses of Capabilities Uses of Capabilities

Distributed systems

Open systems, where nodes join and leave system

frequently

LINDA [Wood99] µKLAIM [Gorla09]

12

Multicapabilities Multicapabilities

Matching patterns rather than single

• bject [Udzir06]

Contributions

Garbage Collection Deadlock Breaking Private Channel

13

Conclusion and Future Work Conclusion and Future Work

An abstract access control mechanism Benefits in distributed open

environment

Behaviours: the Direction?

14

Thank you! Thank you!

Questions? Email: hopezhao@cs.york.ac.uk

15

References References

• [Boebert84] W. E. Boebert, “On the Inability of an Unmodified Capability Machine to Enforce

the *-property”, In Proc, 7th DoD/NBS Computer Security Conference, pages 291--293, Gaithersburg MD USA, September 1984, National Bureau of Standards. http://www.erights.org/elib/capability/duals/boebert.html (Read in Dec 2009)

• [Boebert03] Earl Boebert. Comments on Capability Myths Demolished, 2003.

http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html (Read in Nov 2009)

• [CP08] Arthur Charguéraud, Françios Pottier, “Functional Translation of a Calculus of

Capabilities”, SIGPLAN Notices, 43(9):213--224, 2008

• [DVH66] Jack B. Dennis, Earl C. Van Horn, “Programming Semantics for Multiprogrammed

Computations”, Communications of the ACM, 9(3):143-155, March 1966.

• [Gong89] Li Gong, “A Secure Identity-Based Capability System”, Proceedings of 1989 IEEE

Symposium on Security and Privacy, pages 56—63, 1989

• [Gorla09] Daniele Gorla, Rosario Pugliese, “Dynamic management of capabilities in a network

aware coordination language”, Journal of Logic and Algebraic Programming, 78(8):665—689, 2009.

• [Kain87] Richard Y. Kain, Carl E. Landwehr, “On Access Checking in Capability-Based

Systems”, IEEE Transactions on Software Engineering, SE13(2), February 1987.

• [KGBG03] A.H. Karp, G.J. Rozas, A. Banerj, R. Guptai, “Using Split Capabilities for Access

Control”, IEEE Software, 20(1):42—49, January 2003.

• [Levy84] Henry M Levy, “Capability-Based Computer Systems”, Digital Press, 1984.

http://www.cs.washington.edu/homes/levy/capabook/ (Read in Oct 2009) 16

References References

• [Lampson73] Butler W. Lampson, “A Note on the Confinement Problem”,

Communications of the ACM, 16(10):613--615, 1973.

• [Linden76] Theodore A. Linden, “Operating System Structures to Support Security

and Reliable Software”, ACM Comput. Surv., 8(4):409—445, 1976.

• [Miller03] Mark Miller, Ka-Ping Yee, Jonathan Shapiro, “Capability Myths

Demolished”, Systems Research Laboratory, Johns Hopkins University, 2003.

• [Miller06] Mark Samuel Miller, “Robust Composition: Towards a Unified Approach

to Access Control and Concurrency Control”, PhD Thesis, Johns Hopkins University, 2006.

• [Shapiro99] Jonathan S. Shapiro, Jonathan M. Smith, David J. Farber, “EROS: a

fast capability system”, Symposium on Operating Systems Principles, pages 170-- 185, 1999.

• [Udzir06] N.I Udzer, “Capability-Based Coordination For Open Distributed

Systems”, PhD Thesis, University of York, 2006.

• [Walker00] David Walker and Karl Crary and Greg Morrisett, “Typed Memory

Management in a Calculus of Capabilities”, ACM Transactions on Programming Languages and Systems, 2000

• [Wood99] Alan Wood, “Coordination with Attributes”, Proc. 3rd International

Conference COORDINATION '99, Lecture Notes in Computer Science 1594, pages 21--36, 1999.

17