Hortons Who Done It

1
Hortons Who Done It?

• Communicating Authority with
• Responsibility Tracking

Mark S. Miller Google Research1 Jed
Donnelley LBNL/NERSC Alan H. Karp
HP Labs
Usenix HotSec Workshop, August 7, 2007 1Work
done while at HP Labs
2
Communicating Object Access with Delegation
Bob
Alice
Alice
Alice
Doc Chapters Chapter 1
Chapter 1
Initial Conditions Alice has 1. A capability
to send to Bob and 2. A
capability to a document with chapters.
3
Capability Communication of the Document Reference
Bob
Alice
Alice
heres( )
Alice
Doc Chapters Chapter 1
Chapter 1
Alice sends a message to Bob containinga
reference to the document.
4
Horton Magic Bob Receives a Delegated Capability
Bob
Alice
Alice
Alice
Alice-gtBob
Doc Chapters Chapter 1
Chapter 1
Alice cant act with Bobs responsibility Bob
cant act with Alices responsibility
5
Delegating Least Authority
A
B
C
6
Delegating Least Authority
b.foo(c)
A
B
C
7
Delegating Least Authority
A
B
foo( )
C
8
Delegating Least Authority
A
B
C
9
Delegating Least Authority

• Msgs are only means to cause effects
• Refs control authority
• Leverage OO patterns

A
B
C
10
Delegating Least Authority

• Msgs are only means to cause effects
• Refs control authority
• Leverage OO patterns
• Anonymous

A
B
C
11
Alice

• Cant vet code or actions of each object.

12
Alice

• Cant vet code or actions of each object.

13
Alice

• Cant vet code or actions of each object.

14
Alice

• Cant vet code or actions of each object.

15
Alice

• Cant vet code or actions of each object.

16
Alice

• Cant vet code or actions of each object.

17
Alice

• Cant vet code or actions of each object.

18
Alice

• Cant vet code or actions of each object.

19
Alice

• Cant vet code or actions of each object.

20
Alice

• Cant vet code or actions of each object.
• Aggregate into long-lived responsible identity.

A
21
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

?
22
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

?
23
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

Polaris, Plash
24
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

Hybrid Cap Systems (SCAP, Sys/38)
25
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

?
26
Two styles, relative strengths

• Automated
• Fine-grained
• Built for safety
• Least authority
• Virus resistant
• Authorization-based
• Object-capabilities (ocaps)

• Human decisions
• Large-grained
• Built for damage control
• Most responsibility
• Spam resistant
• Identity-based
• ACLs

Horton
27
Story Needs Four Characters

• Alice Bob
• Old patterns for identity-based control
• Alice introduces Bob Carol
• Builds new relationships from old
• Carol also hears of Bob from Dave
• Corroborates Bobs independence from Alice

28
Two-party intermediation

• A message travels through anidentity tunnel

29
Alice
Bob
Bob
Alice
A
B
30
Alice
Bob
b.foo()
Bob
Alice
A
B
31
Alice
Bob
Bob
Alice
A
B
foo()
32
Do I still use Bobs services?
Alice
Bob
Bob
Alice
A
B
foo()
33
Bob, deliver to B
foo()
Alice
Bob
Bob
Alice
A
B
34
Alice
Bob
Bob
Alice
A
B
deliver(foo,)
35
Do I still honor Alices requests?
Alice
Bob
Bob
Alice
A
B
foo()
36
Deliver to B for Alice
foo()
Alice
Bob
Bob
Alice
A
B
37
Alice
Bob
Bob
Alice
A
B
foo()
38
Alice
Bob
A
B
39
Three-party intermediation

• Build new relationships from old

40
Alice
Bob
A
B
C
Carol
41
b.foo(c)
Alice
Bob
A
B
C
Carol
42
Alice
Bob
A
B
foo( )
C
Carol
43
Carol, please provide Bob access to C
Alice
Bob
A
B
foo(?)
Bob
intro( )
C
Carol
44
Carol, please provide Bob access to C
Alice
Bob
A
B
foo(?)
Alice needs tunnel for Bob
Bob
intro( )
C
Carol
45
Carol, please provide Bob access to C
Alice
Bob
A
B
foo(?)
Gift wrap it for Bob
Bob
intro( )
C
Carol
46
Carol, please provide Bob access to C
Alice
Bob
A
B
foo(?)
Gift wrap it for Bob
Bob
intro( )
To Bob From Carol
C
Carol
47
Carol, please provide Bob access to C
Alice
Bob
A
B
foo(?)
return Bobs gift to Alice
Bob
intro( )
To Bob From Carol
C
Carol
48
Bob, deliver fo__ to B with Carols ( )
foo( )
Alice
Bob
A
B
To Bob From Carol
C
Carol
49
Alice
Bob
A
B
deliver(foo, , )
Carol
To Bob From Carol
C
Carol
50
Unwrap Carols gift from Alice
Alice
Bob
A
B
deliver(foo, , )
Carol
To Bob From Carol
C
Carol
51
Unwrap Carols gift from Alice
Alice
Bob
A
B
foo( )
C
Carol
52
Alice
Bob
A
B
foo( )
C
Carol
53
Alice
Bob
A
B
C
Carol
54
Four party intermediation

• Only corroborating introductions let Alice shed
  blame

55
Alice
Bob
A
B
Is Bob a pseudonym for Alice?
C
Carol
56
Alice
Bob
A
B
Is Carol a pseudonym for Alice?
C
Carol
57
Alice
Bob
A
B
C
Carol
58
Alice
Bob
A
B
C
D
Carol
Dave
59
Alice
Bob
A
B
bar( )
C
D
Carol
Dave
60
Alice
Bob
A
B
C
D
Carol
Dave
61
Alice
Bob
A
B
Bob
C
D
Carol
Dave
62
Alice
Bob
A
B
Carol
Bob
C
D
Carol
Dave
63
Better Identities than ACLs

• No global administrator or name server
• Track bilateral responsibility
• For requests and for service
• Track delegation chain
• Revoke only improperly delegated rights
• Sybil resistant aggregation strategy
• Corroboration-driven disaggregation

64
Conclusions

• Fine-grain least authorizations for safety.
• Large-grain identities for damage control.
• Horton is a protocol scaffold
• on which to hang identity-based policies,
• transparently to interacting app-objects.
• Supports delegating narrow authority, while
• assigning responsibility for using that
  authority.

65
(No Transcript)
66
Three-party intermediation

• The details

67
Rights Amplification

• Inspired by PK
• Simple oo pattern
• No explicit crypto
• Can represent responsible identity

68
(No Transcript)
69
b.foo(c)
70
(No Transcript)
71
Carol, please provide Bob access to C
72
Carol, please provide Bob access to C
73
Bob, please use Carols C
74
(No Transcript)
75
Make a stub for Bobs use
76
Make a stub for Bobs use
77
Gift wrap it for Bob
78
wrap(s3, whoBob, beCarol)
79
pr
wrap(s3, whoBob, beCarol)
80
pr
wrap(s3, whoBob, beCarol)
seal( )
81
pr
wrap(s3, whoBob, beCarol)
82
pr
return gift
83
pr
84
unwrap( , whoCarol, beBob)
pr
85
unwrap( , whoCarol, beBob)
unseal( )
pr
86
unwrap( , whoCarol, beBob)
pr
87
unwrap( , whoCarol, beBob)
pr
88
unwrap( , whoCarol, beBob)
seal( )
pr
89
unwrap( , whoCarol, beBob)
pr
90
unwrap( , whoCarol, beBob)
( )
pr
91
unwrap( , whoCarol, beBob)
pr
92
unwrap( , whoCarol, beBob)
pr
93
unwrap( , whoCarol, beBob)
( )
pr
94
unwrap( , whoCarol, beBob)
95
makeProxy(..)
96
makeProxy(..)
97
E.call(..)
98
(No Transcript)
99
Alice
Bob
A
B
C
D
Carol
Dave
100
Bob
B
C
D
Carol
Dave
101
Bob
B
C
D
Carol
Dave
102
CapWiki with attribution
103
The Web Good, Bad, and Ugly

• Good Internet hypertext, wonderful!
• Bad Username/passwords for every site that has
  any sort of access control.
• Ugly Hard to share limited access to network
  objects. Hard to combine network objects with
  access restrictions.

104
Alices Domain
Sends BobSend EveSend IvanSend
105
Alices Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
CapWiki Finances Investor Market
106
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
107
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
108
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
109
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
110
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
Here are the CapWiki Finances Dave
Receives BobReceive
Davess Domain
111
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
Here are the CapWiki Finances Dave
Receives BobReceive
Davess Domain
112
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
Here are the CapWiki Finances Dave
Receives BobReceive
Davess Domain
113
Alices Domain
Bobs Domain
CapWiki CapWiki Stuff Concepts Finances Other
Sends BobSend EveSend IvanSend
Receives AliceReceive
Sends AliceSend DaveSend
CapWiki Finances Investor Market
Here are the CapWiki Finances Dave
Receives BobReceive
Davess Domain
114
Better Web Access Control

• No more passwords Send a ltmegtSend to a
  ltservicegtSend. They know who you are, you know
  who they are.
• Side benefit SPAM resistance. Dont like a
  source of SPAM, cut it off to any delegation
  level.
• Principle Of Least Authority (POLA) sharing that
  can facilitate cross site services.