[Cryptography] Do capabilities work? Do ACLs work?

Jerry Leichter leichter at lrw.com
Thu Feb 12 19:04:49 EST 2015 

On Feb 12, 2015, at 6:04 PM, Bill Frantz <frantz at pwpconsult.com> wrote:

> On 2/12/15 at 10:38 AM, leichter at lrw.com (Jerry Leichter) wrote:
> 
>> I doubt this explanation.  The reason Unix (and Windows, and VMS) ...
> 
> Relatively late coming systems in the scheme of things. User centric, as opposed to object centric, security goes back at least as far as Multics, the SDS 940 timesharing system, and the Dartmouth timesharing system (of the GE 235 & Datanet 30). :-)
Well ... yes.  But then Unix came along and simplified things - and its model of hierarchical directories and user/group/world access bits pretty much won out.  The old models and mechanisms were mainly forgotten, to be rediscovered later.  (It's an old joke that most OS work in the last couple of decades is a rediscovery of stuff done in Multics.)

> In all these systems, the security model was that users were running code they had written, and so trusted it.  It should also be noted that these systems were designed before many of the attacks we worry about had been invented.
Yes.  And it's not as if we haven't gone through this before.  When I was teaching OS classes in the early 1980's, I would first talk about the protection mechanisms needed on time-shared machines, then ask the question:  On single-user PC's, do we need security?  It made for interesting discussion.  At the time, of course, the Internet was a novelty used mainly by academics and a few companies and a bit of the military, viruses were a very new phenomenon, and the attacks we consider boring and commonplace today hadn't been invented.

There *were* people thinking about these issues even then - and even earlier.  Most systems only provided DAC (Discretionary Access Control - the user has complete ability to change everything).  But there were those calling for MAC (Mandatory ...) exactly because you wanted to be able to keep things safe even when people - or, more likely, programs they ran - did things they shouldn't.  At the time, most of the impetus for this came from the military, where MAC had to do with classification level - which never fit well with anything else.  This hid the broader ideas underneath it all....

>> - Associate an ACL that would send an alert to the security logs if various actions touched the ACL - from attempting to remove it to even just looking at it.
> 
> This is the first time anyone in this discussion has mentioned how you change ACLs. Access to them is, as far as I can tell, outside the ACL security system. Not good.
The only mechanism I've seen implemented for this is the very old idea of a CONTROL access right on an object that you need to change the ACL's on the object.  The interaction of this with ownership of the object is ... interesting.  People generally assume that ownership implies all access rights - but that's not necessarily what you always want.

BTW, an interesting side issue is what objects can be controlled by the various mechanisms.  Unix systems limit their richest access control to file system objects.  Other objects (e.g., System V IPC) have ad hoc mechanisms.  Plan 9 fixed this by logically moving everything into the file system space, an idea picked up in a much more limited fashion by Linux and the /proc file system.  VMS did this by making the access control mechanism a separate component and applying it fairly uniformly to all kinds of objects, not just file objects.  Windows went in the same direction but had so much backwards-compatibility crud to deal with that it could never do it uniformly.
                                                        -- Jerry

More information about the cryptography mailing list