A brief essay on capabilities

2016

Computers & Security

With reference to a protection system featuring active subjects that attempt to access passive, typed objects,we propose a set of mechanisms supporting the distribution,verification,review and revocation of access privileges. In our approach, a protection domain is a collection of access rights for the protected objects. An access control list is associated with each object to specify the access rights in each domain. Objects are grouped into clusters.To access the objects in a given cluster, a subject presents a gate referencing this cluster. The gate is a form of password capability that identifies one or more domains.The gate grants the access rights specified for these domains by the access control lists of the objects in the cluster. A subject that holds a gate and is aimed at distributing the access privileges in this gate in restricted form can reduce the gate to eliminate domains; the gate reduction procedure requires no intervention of the protection system. A small set of protection primitives allows subjects to manage objects and access control lists. Forms of revocation of access permissions are supported, at both levels of gates and access control lists

“…Capabilities need to be segregated into protected memory regions [5], [19], [37]. This is necessary to prevent a subject that holds a given capability from modifying this capability, e.g.…”

Section: Capabilities and Access Control Listsmentioning

confidence: 99%

Access control lists in password capability environments

2016

Computers & Security

“…Capabilities should be segregated in memory, so that their internal representation is inaccessible to subjects [5]. This is necessary to prevent a subject from tampering with an existing capability to amplify the access rights it contains, or even forging a capability from scratch.…”

Section: Access Privilege Specificationmentioning

confidence: 99%

Password Management: Distribution, Review and Revocation

2014

The Computer Journal

We consider the problem of access privilege management in a classical protection environment featuring subjects attempting to access the protected objects. We express an access privilege in terms of an access right and a privilege level. The privilege level and a protection diagram associated with each given object determine whether a nominal access privilege for this object corresponds to an effective, possibly weaker access privilege, or is revoked. We associate a password system with each object; the password system takes the form of a hierarchical bidimensional one-way chain. A subject possesses a nominal access privilege for a given object if it holds a key that matches one of the passwords in the password system of this object; the protection diagram determines the extent of the corresponding effective access privilege. The resulting protection environment has several interesting properties. A key reduction mechanism allows a subject that holds a key for a given object to distribute keys for weaker access rights at lower privilege levels. A subject that owns a given object can review or revoke the passwords for this object by simply modifying the protection diagram. The memory requirements to represent a protection diagram are negligible; as far as password storage is concerned, space-time trade-offs are possible.

“…Similarly, we must prevent processes from forging new capabilities for existing objects from scratch, thereby gaining access to these objects. Several solutions to this segregation problem [4,12] have been devised and actually implemented in existing systems. In a tagged memory environment, a one-bit tag can be associated with each memory cell to specify whether this cell contains a capability or an ordinary data item [8,11,21].…”

Section: Capabilities and Password Capabilitiesmentioning

confidence: 99%

“…In our approach, o-pointers are segregated in memory by taking advantage of cryptography [4]. We associate an encryption key with each object and a password with each protection domain.…”

Section: Capabilities and Password Capabilitiesmentioning

confidence: 99%

Object protection in distributed systems

Journal of Parallel and Distributed Computing

2013

a b s t r a c tWith reference to a distributed system consisting of nodes connected by a local area network, we consider a salient aspect of the protection problem, the representation of access permissions and protection domains. We present a model of a protection system supporting typed objects. Possession of an access permission for a given object is certified by possession of an object pointer including the specification of a set of access rights. We associate an encryption key with each object and a password with each domain. Object pointers are stored in memory in a ciphertext form obtained by using the object key and including the value of the domain password. Each process is executed in a domain and can take advantage of a given object pointer only if this object pointer was encrypted by including the password of this domain. A set of protection primitives makes it possible to use object pointers for object reference and to control the movements of the objects across the network. The resulting protection environment is evaluated from a number of salient viewpoints, including ease of access right distribution and revocation, interprocess interaction and cooperation, protection against fraudulent actions of access right manipulation and stealing, storage overhead, and network traffic.