Horton’s Who Done It? · 2016. 12. 30. · Horton’s Who Done It? Communicating Authority with...
Transcript of Horton’s Who Done It? · 2016. 12. 30. · Horton’s Who Done It? Communicating Authority with...
Horton’s Who Done It?
Communicating Authority withResponsibility Tracking
Mark S. Miller Google Research1
Jed Donnelley LBNL/NERSCAlan H. Karp HP Labs
Usenix HotSec Workshop, August 7, 20071Work done while at HP Labs
Alice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
Communicating Object Accesswith Delegation
Initial Conditions:Alice has: 1. A capability to send to Bob and 2. A capability to a document with chapters.
Alice Bob
Alice Bob
Doc Chapters:
Chapter 1…
Alice
Capability Communication of theDocument Reference
Alice
here’s( )
Chapter 1…
Alice sends a message to Bob containinga reference to the document.
Alice BobAlice
Alice
Doc Chapters:
Chapter 1…
Chapter 1…
Alice-
>Bob
Alice can’t act with Bob’s responsibilityBob can’t act with Alice’s responsibility
Horton Magic: Bob Receives aDelegated Capability
Delegating Least Authority
A B
C
Delegating Least Authority
A B
C
b.foo(c)
Delegating Least Authority
A B
C
foo( )
Delegating Least Authority
A B
C
Delegating Least Authority
A B
C
• Msgs are onlymeans tocause effects
• Refs controlauthority
• Leverage OOpatterns
Delegating Least Authority
A B
C
• Msgs are onlymeans tocause effects
• Refs controlauthority
• Leverage OOpatterns
• Anonymous
Two styles, relative strengths
Program decisionsFine-grainedBuilt for safetyLeast authorityVirus resistantAuthorization-based
Object-capabilities(ocaps)
Human decisionsLarge-grainedBuilt for damage controlMost responsibilitySpam resistantIdentity-based
ACLs
?
Two styles, relative strengths
Program decisionsFine-grainedBuilt for safetyLeast authorityVirus resistantAuthorization-based
Object-capabilities(ocaps)
Human decisionsLarge-grainedBuilt for damage controlMost responsibilitySpam resistantIdentity-based
ACLs
Polaris, PlashBitfrost?
Two styles, relative strengths
Program decisionsFine-grainedBuilt for safetyLeast authorityVirus resistantAuthorization-based
Object-capabilities(ocaps)
Human decisionsLarge-grainedBuilt for damage controlMost responsibilitySpam resistantIdentity-based
ACLs+ “Hybrid” Cap Systems (SCAP, Sys/38)
Two styles, relative strengths
Program decisionsFine-grainedBuilt for safetyLeast authorityVirus resistantAuthorization-based
Object-capabilities(ocaps)
Human decisionsLarge-grainedBuilt for damage controlMost responsibilitySpam resistantIdentity-based
ACLs
?
Two styles, relative strengths
Program decisionsFine-grainedBuilt for safetyLeast authorityVirus resistantAuthorization-based
Object-capabilities(ocaps)
Human decisionsLarge-grainedBuilt for damage controlMost responsibilitySpam resistantIdentity-based
ACLs
Horton
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
Can’t vet code oractions of eachobject.
Alice
A
Can’t vet code oractions of eachobject.
Aggregate intolong-livedresponsibleidentity.
Story Needs Four Characters
Alice & Bob• Old patterns for identity-based control: identity tunnel
Alice introduces Bob & Carol• Builds new relationships from old
Carol also hears of Bob from Dave• Corroborates Bob’s independence from Alice
Two-party intermediation
A message travels through anidentity tunnel
A B
Bob
Alice Bob
Alice
A B
Bob
Alice Bob
Aliceb.foo()
A Bfoo()
Bob
Alice Bob
Alice
A B
Bob
Alice Bob
Alice
foo()
Do I still use Bob’s services?
A B
Bob
Alice Bob
Alice
Bob, deliver to Bfoo()
A B
Bob
Alice Bob
Alice
deliver(“foo”,[])
A B
Bob
Alice Bob
Alice
foo()
Do I still honorAlice’s requests?
A B
Bob
Alice Bob
Alice
Deliver toB for Alice
foo()
A B
Bob
Alice Bob
Alice
foo()
A B
Alice Bob
Three-party intermediation
Build new relationships from old
A B
Alice Bob
C
Carol
A B
Alice Bob
C
Carol
b.foo(c)
A B
Alice Bob
C
Carol
foo( )
A B
Alice Bob
C
Carolintro( )
Bob
Carol, pleaseprovide Bobaccess to C
foo( )
A B
Alice Bob
C
Carolintro( )
Bob
Carol, pleaseprovide Bobaccess to C
Alice needs tunnel for Bob
foo( )
A B
Alice Bob
C
Carolintro( )
Bob Gift wrap itfor Bob
Carol, pleaseprovide Bobaccess to C
foo( )
A B
Alice Bob
C
Carolintro( )
Bob Gift wrap itfor Bob
To BobFrom Carol
Carol, pleaseprovide Bobaccess to C
foo( )
A B
Alice Bob
C
Carolintro( )
Bob return Bob’sgift
To BobFrom Carol
Carol, pleaseprovide Bobaccess to C
foo( )
A B
Alice Bob
C
Carol
To BobFrom Carol
Bob, deliver“fo__ to B with
Carol’s ( )foo( )
A B
Alice Bob
C
Carol
To BobFrom Carol
deliver(“foo”,[[ , ]])
Carol
A B
Alice Bob
C
Carol
To BobFrom Carol
deliver(“foo”,[[ , ]])
Carol
Unwrap Carol’sgift from Alice
A B
Alice Bob
C
Carol
foo( )
Unwrap Carol’sgift from Alice
A B
Alice Bob
C
Carol
foo( )
A B
Alice Bob
C
Carol
A B
Alice
Bob
C
Carol
Is Bob a pseudonymfor Alice?
Four party intermediation
Only corroborating introductionslet Alice shed blame
A B
Alice Bob
C D
Carol Dave
Bob
Better Identities than ACLs
Fully decentralized• No global administrator or name server
Track bilateral responsibility• For requests and for service• Also tracks delegation chain
Sybil resistant aggregation strategyCorroboration-driven disaggregation
Conclusions
Delegate authority, bound to responsibility forusing that authority.
Fine-grain least authority for safety.Large-grain identities for damage control.
Reference implementations in Java & E: http://erights.org/download/horton/
Three-party intermediation
The details
Rights Amplification
• Inspired by PK• Simple oo pattern• No explicit crypto
• Can representresponsibleidentity
b.foo(c)
Carol, pleaseprovide Bobaccess to C
Carol, pleaseprovide Bobaccess to C
Bob, pleaseuse Carol’s C
Make a stubfor Bob’s use
Make a stubfor Bob’s use
Gift wrapit for Bob
wrap(s3, whoBob, beCarol)
wrap(s3, whoBob, beCarol)
pr
wrap(s3, whoBob, beCarol)
pr
seal( )
wrap(s3, whoBob, beCarol)
pr
return gift
pr
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unseal( )
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
seal(
)
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
( )
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
unwrap( , whoCarol, beBob)
pr
( )
unwrap( , whoCarol, beBob)
makeProxy(..)
makeProxy(..)
E.call(..)
A B
Alice Bob
C D
Carol Dave
B
Bob
C D
Carol Dave
B
Bob
C D
Carol Dave
CapWiki with attribution
The Web: Good, Bad, and Ugly:
1. Good: Internet hypertext, wonderful!
2. Bad: Username/passwords for everysite that has any sort of access control.
3. Ugly: Hard to share limited access tonetwork objects. Hard to combinenetwork objects with access restrictions.
Sends:BobSendEveSendIvanSend
Alice’s Domain
CapWikiFinances:InvestorMarket
Alice’s
Alice’s DomainCapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Alice’s
Receives:AliceReceive
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther Sends:
AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Alice’s
Receives:*AliceReceive
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Alice’s
Alice BobSends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Alice’s
Alice Bob
Alice Bob
Sends:BobSendEveSendIvanSend
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s Domain Bob’s Domain
Alice’s
Here are theCapWiki:FinancesDave
Receives:BobReceiveDaves’s Domain
Bob’s
Sends:BobSendEveSendIvanSend
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s
Here are theCapWiki:FinancesDave
Receives:* BobReceiveDaves’s Domain
Bob’s
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bob’s
Bob D
ave
Sends:BobSendEveSendIvanSend
Daves’s Domain
Alice’s Domain Bob’s Domain
Alice Bob
Alice Bob
CapWiki:CapWiki Stuff:ConceptsFinancesOther
Receives:*AliceReceive
Sends:AliceSendDaveSend
CapWikiFinances:InvestorMarket
Alice’s
Here are theCapWiki:FinancesDave
Receives:BobReceive
Bob’s
Bob D
ave
Alice Bob Dave
Sends:BobSendEveSendIvanSend
Alice’s Domain Bob’s Domain
Daves’s Domain
Alice Bob
Alice Bob
Better Web Access Control• No more passwords – Send a <me>Send to a
<service>Send. They know who you are, youknow who they are.
• Side benefit – SPAM resistance. Don’t like asource of SPAM, cut it off to any delegationlevel.
• Principle Of Least Authority (POLA) sharing thatcan facilitate cross site services.
A B
Alice Bob
C
Carol
Is Carol a pseudonymfor Alice?
A B
Alice Bob
C
Carol
A B
Alice Bob
C D
Carol Dave
A B
Alice Bob
C D
Carol Dave
bar( )
A B
Alice Bob
C D
Carol Dave
A B
Alice Bob
C D
Carol Dave
Bob
Carol