View
217
Download
1
Category
Tags:
Preview:
Citation preview
Horton’s Who Done It?
Communicating Authority with
Responsibility Tracking
Mark S. Miller Google Research1
Jed Donnelley LBNL/NERSC
Alan H. Karp HP Labs
Usenix HotSec Workshop, August 7, 2007
1Work done while at HP Labs
Alice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
BobAlice
Communicating Object Access with Delegation
Initial Conditions:
Alice has: 1. A capability to send to Bob and 2. A capability to a document with chapters.
Doc Chapters:
Chapter 1…
BobAlice
Alice
Capability Communication of the Document Reference
Alice
here’s( )
Chapter 1…
Alice sends a message to Bob containinga reference to the document.
Alice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
BobAlice
Alice-
>Bob
Alice can’t act with Bob’s responsibilityBob can’t act with Alice’s responsibility
Horton Magic: Bob Receives a Delegated Capability
Delegating Least Authority
A B
C
Delegating Least Authority
A B
C
b.foo(c)
Delegating Least Authority
A B
C
foo( )
Delegating Least Authority
A B
C
Delegating Least Authority
A B
C
• Msgs are only means to cause effects
• Refs control authority
• Leverage OO patterns
Delegating Least Authority
A B
C
• Msgs are only means to cause effects
• Refs control authority
• Leverage OO patterns
• Anonymous
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
Can’t vet code or actions of each object.
Alice
A
Can’t vet code or actions of each object.
Aggregate into long-lived responsible identity.
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs
?
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs
?
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs
Polaris, Plash
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs+ “Hybrid” Cap Systems (SCAP, Sys/38)
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs
?
Two styles, relative strengths
Automated
Fine-grained
Built for safety
Least authority
Virus resistant
Authorization-based
Object-capabilities (ocaps)
Human decisions
Large-grained
Built for damage control
Most responsibility
Spam resistant
Identity-based
ACLs
Horton
Story Needs Four Characters
Alice & Bob• Old patterns for identity-based control
Alice introduces Bob & Carol• Builds new relationships from old
Carol also hears of Bob from Dave• Corroborates Bob’s independence from Alice
Two-party intermediation
A message travels through anidentity tunnel
A B
Bob
Alice Bob
Alice
A B
Bob
Alice Bob
Aliceb.foo()
A Bfoo()
Bob
Alice Bob
Alice
A B
Bob
Alice Bob
Alice
foo()
Do I still use Bob’s services?
A B
Bob
Alice Bob
Alice
Bob, deliver to Bfoo()
A B
Bob
Alice Bob
Alice
deliver(“foo”,[])
A B
Bob
Alice Bob
Alice
foo()
Do I still honorAlice’s requests?
A B
Bob
Alice Bob
Alice
Deliver toB for Alice
foo()
A B
Bob
Alice Bob
Alice
foo()
A B
Alice Bob
Three-party intermediation
Build new relationships from old
A B
Alice Bob
C
Carol
A B
Alice Bob
C
Carol
b.foo(c)
A B
Alice Bob
C
Carol
foo( )
A B
Alice Bob
C
Carol
intro( )
Bob
Carol, please provide Bob access to C
foo(?)
A B
Alice Bob
C
Carol
intro( )
Bob
Carol, please provide Bob access to C
foo(?)
Alice needs tunnel for Bob
A B
Alice Bob
C
Carol
intro( )
BobGift wrap it
for Bob
Carol, please provide Bob access to C
foo(?)
A B
Alice Bob
C
Carol
intro( )
BobGift wrap it
for Bob
To BobFrom Carol
Carol, please provide Bob access to C
foo(?)
A B
Alice Bob
C
Carol
intro( )
Bobreturn Bob’sgift to Alice
To BobFrom Carol
Carol, please provide Bob access to C
foo(?)
A B
Alice Bob
C
Carol
To BobFrom Carol
Bob, deliver “fo__ to B with
Carol’s ( )foo( )
A B
Alice Bob
C
Carol
To BobFrom Carol
deliver(“foo”,[[ , ]])
Carol
A B
Alice Bob
C
Carol
To BobFrom Carol
deliver(“foo”,[[ , ]])
Carol
Unwrap Carol’sgift from Alice
A B
Alice Bob
C
Carol
foo( )
Unwrap Carol’sgift from Alice
A B
Alice Bob
C
Carol
foo( )
A B
Alice Bob
C
Carol
Four party intermediation
Only corroborating introductions let Alice shed blame
A B
Alice
Bob
C
Carol
Is Bob a pseudonymfor Alice?
A B
Alice Bob
C
Carol
Is Carol a pseudonymfor Alice?
A B
Alice Bob
C
Carol
A B
Alice Bob
C D
Carol Dave
A B
Alice Bob
C D
Carol Dave
bar( )
A B
Alice Bob
C D
Carol Dave
A B
Alice Bob
C D
Carol Dave
Bob
A B
Alice Bob
C D
Carol Dave
Bob
Carol
Better Identities than ACLs
No global administrator or name server
Track bilateral responsibility• For requests and for service
Track delegation chain• Revoke only improperly delegated rights
Sybil resistant aggregation strategy
Corroboration-driven disaggregation
Conclusions
Fine-grain least authorizations for safety.
Large-grain identities for damage control.
Horton is a protocol “scaffold” on which to hang identity-based policies,
transparently to interacting app-objects.
Supports delegating narrow authority, whileassigning responsibility for using that authority.
Three-party intermediation
The details
Rights Amplification
• Inspired by PK
• Simple oo pattern
• No explicit crypto
• Can represent responsible identity
b.foo(c)
Carol, please provide Bob access to C
Carol, please provide Bob access to C
Bob, please use Carol’s C
Make a stub for Bob’s use
Make a stub for Bob’s use
Gift wrap it for Bob
wrap(s3, whoBob, beCarol)
wrap(s3, whoBob, beCarol)
pr
wrap(s3, whoBob, beCarol)
pr
seal( )
wrap(s3, whoBob, beCarol)
pr
return gift
pr
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unseal( )
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
seal
( )
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
( )
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
( )
unwrap( , whoCarol, beBob)
makeProxy(..)
makeProxy(..)
E.call(..)
A B
Alice Bob
C D
Carol Dave
B
Bob
C D
Carol Dave
B
Bob
C D
Carol Dave
CapWiki with attribution
The Web: Good, Bad, and Ugly:
1. Good: Internet hypertext, wonderful!
2. Bad: Username/passwords for every site that has any sort of access control.
3. Ugly: Hard to share limited access to network objects. Hard to combine network objects with access restrictions.
Sends:BobSendEveSendIvanSend
Alice’s Domain
CapWikiFinances:InvestorMarket
Ali ce’s
Alice’s Domain
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’s
Receives:AliceReceive
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther Sends:
AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’s
Receives:*AliceReceive
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Alice BobSends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Alice Bob
Alice Bob
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceiveDaves’s Domain
Bo b’s
Sends:BobSendEveSendIvanSend
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:* BobReceiveDaves’s Domain
Bo b’s
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bo b’s
Bob D
ave
Sends:BobSendEveSendIvanSend
Daves’s Domain
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:*AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Ali ce’ s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bo b’s
Bob D
ave
Alice Bob Dave
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Daves’s Domain
Alice Bob
Alice Bob
Better Web Access Control
• No more passwords – Send a <me>Send to a <service>Send. They know who you are, you know who they are.
• Side benefit – SPAM resistance. Don’t like a source of SPAM, cut it off to any delegation level.
• Principle Of Least Authority (POLA) sharing that can facilitate cross site services.
Recommended