[Cryptography] Do capabilities work? Do ACLs work?
Bill Frantz
frantz at pwpconsult.com
Thu Feb 12 18:04:04 EST 2015
On 2/12/15 at 10:38 AM, leichter at lrw.com (Jerry Leichter) wrote:
>I doubt this explanation. The reason Unix (and Windows, and VMS) ...
Relatively late coming systems in the scheme of things. User
centric, as opposed to object centric, security goes back at
least as far as Multics, the SDS 940 timesharing system, and the
Dartmouth timesharing system (of the GE 235 & Datanet 30). :-)
In all these systems, the security model was that users were
running code they had written, and so trusted it. It should also
be noted that these systems were designed before many of the
attacks we worry about had been invented. At Tymshare, which ran
SDS 940s (+ PDP 10 & VM/370), the early response to people,
usually teenagers, breaking into the system was to hire them as
interns to help maintain the game library.
Generally people were thinking of academic environments, where a
reasonable response to students vying with each other to
discover ways to crash the timesharing system, was to install a
"crash" command so anyone could crash the system. Then it wasn't
fun anymore.
>BTW, not all ACL systems are the same. The Unix ACL system is
>in a way just a glorified extension of the existing group
>system. The VMS ACL system was much more elaborate and
>interesting. I haven't looked at in years, but among the
>things you could do were:
>
>- Associate an ACL with an executable that would be granted to
>the process while that executable was running. This is
>setuid/setgid taken to the ultimate level.
The 940 had the "home files" privilege. It permitted a running
executable to read and write files in the directory it was
loaded from. This kind of privilege was responsible for the
first "confused deputy" attack, where a compiler kept a usage
statistics file for optimization use that happened to be in the
same directory as the system billing file. A user discovered he
could get the program to over-wrote the billing file by passing
its name as the a compiler output file name. See: <http://www.cap-lore.com/CapTheory/ConfusedDeputy.html>
>- Associate an ACL that would send an alert to the security
>logs if various actions touched the ACL - from attempting to
>remove it to even just looking at it.
This is the first time anyone in this discussion has mentioned
how you change ACLs. Access to them is, as far as I can tell,
outside the ACL security system. Not good.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list