[Cryptography] Do capabilities work? Do ACLs work?

Bill Frantz frantz at pwpconsult.com
Thu Feb 12 18:04:04 EST 2015


On 2/12/15 at 10:38 AM, leichter at lrw.com (Jerry Leichter) wrote:

>I doubt this explanation.  The reason Unix (and Windows, and VMS) ...

Relatively late coming systems in the scheme of things. User 
centric, as opposed to object centric, security goes back at 
least as far as Multics, the SDS 940 timesharing system, and the 
Dartmouth timesharing system (of the GE 235 & Datanet 30). :-)

In all these systems, the security model was that users were 
running code they had written, and so trusted it. It should also 
be noted that these systems were designed before many of the 
attacks we worry about had been invented. At Tymshare, which ran 
SDS 940s (+ PDP 10 & VM/370), the early response to people, 
usually teenagers, breaking into the system was to hire them as 
interns to help maintain the game library.

Generally people were thinking of academic environments, where a 
reasonable response to students vying with each other to 
discover ways to crash the timesharing system, was to install a 
"crash" command so anyone could crash the system. Then it wasn't 
fun anymore.


>BTW, not all ACL systems are the same.  The Unix ACL system is 
>in a way just a glorified extension of the existing group 
>system.  The VMS ACL system was much more elaborate and 
>interesting.  I haven't looked at in years, but among the 
>things you could do were:
>
>- Associate an ACL with an executable that would be granted to 
>the process while that executable was running.  This is 
>setuid/setgid taken to the ultimate level.

The 940 had the "home files" privilege. It permitted a running 
executable to read and write files in the directory it was 
loaded from. This kind of privilege was responsible for the 
first "confused deputy" attack, where a compiler kept a usage 
statistics file for optimization use that happened to be in the 
same directory as the system billing file. A user discovered he 
could get the program to over-wrote the billing file by passing 
its name as the a compiler output file name. See: <http://www.cap-lore.com/CapTheory/ConfusedDeputy.html>


>- Associate an ACL that would send an alert to the security 
>logs if various actions touched the ACL - from attempting to 
>remove it to even just looking at it.

This is the first time anyone in this discussion has mentioned 
how you change ACLs. Access to them is, as far as I can tell, 
outside the ACL security system. Not good.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032



More information about the cryptography mailing list