Computer Security Fact Forum

The Foresight Computer Security Fact Forum is a critical discussion of issues in computer security.  This discussion is intended to cover several competing protection models, including capabilities, access control lists (ACLs), and the Java security model.

The Fact Forum uses a new web tool, the Crit Mediator, to enable fine-grained, bidirectional, typed links to be made among documents by those other than each document's author. This annotation ability is expected to greatly enhance the effectiveness of debating complex topics using the web. The mediator enables you to add comments to the papers and discussions here, and to see comments made by others.

If you are not already seeing this page through the mediator, click here or go to http://crit.org and type the URL of this page into the mediator's text box. The mediator is not limited to the computer security forum. It can be used to annotate any web page.

The discussion has been seeded with documents representing various views from invited experts. For the moment, it is organized in three parts:

• What are the competing models of protection?
• What problems must these models address?  This list will expand over time.
• What solutions are already known to exist, or have emerged from the discussion to date?

Once oriented, participants are encouraged to mark up the seed documents and add new material.

General Background

The venerable Orange Book describing evaluation critera for military grade security

A Glossary of computer security terminology may be found here.

Models of Protection

The current discussion addresses three models of protection: capabilities, access control lists, and the Java security model. In all cases, the views expressed are those of the author only unless explicity stated otherwise):

Capabilities

Introductory notes:


What Is a Capability, Anyway? by Jonathan S. Shapiro.

This note provides a very introductory view of capabilities for those who have not encountered them before.

Jonathan is the architect of EROS, a high-performance capability system that runs on x86 machines. He has recently completed his Ph.D. at the University of Pennsylvania.

Introduction to Capability Based Security by Marc Stiegler.


Electric Communities is building a secure persistent distributed object system on which they are building networked social virtual realities. Here, their VP of engineering explains capabilities and other security matters.

An over-simplified explanation of capabilities by Chris Peterson.


Provides a different take on the concept for non-computer scientists. Among other things, this note describes the types of problems capabilties can be used to solve.

More Advanced Documents:

Capability Theory by Sound Bytes by Norm Hardy.


A series of mind-sized micro-essays explaining the power of capabilities and providing various illustrative tails.

Norm is the chief architect of the KeyKOS secure persistent operating system.

Critiques:


The Protection of Information in Computer Systems by Saltzer and Schroeder.

This classic paper is still the best critique of the capability security model.

Other Contributions:

Ka-Ping Yee's Security Alert


Microsoft and Netscape have lately been abusing the term "capability-based security". Here is Ping's challenge to them, signed by capability advocates and posted to RISKs Digest.

Ping is the author of the Crit Mediator. Until recently at Xerox PARC, Ping has now returned to University of Waterloo.

Access Control Lists

We are actively seeking both introductory and in-depth documents on access control lists.

The Java Model (Stack Introspection)

Overview:

Java Security by Joseph A. Bank


An excellent overview of the issues and techniques used in Java implementations to provide security.

Essential Reading:

Slides from JavaOne by Li Gong


Li is the security chief at JavaSoft.

Extensible Security Architectures for Java by Dan Wallach.


Dan and colleagues at Princeton explain various Java security matters, including a consideration of capabilities vs ACLs. Non-HTML formats for this paper can be found here.

Now at Netscape, Dan will soon return to Princeton.

Specifications:

The Java Virtual Machine Specification. by Tim Lindholm and Frank Yellin.

We referenced this page because it includes the copyright notice. Take note of the link labeled "View HTML" toward the bottom of the page.

Other Perspectives:

Microsoft's Introducing a Common Sense Approach to Security and Trust-Based Security for Java

Netscape's main Security page, and in particular their Signing Architecture

The Princeton Java Security Page

Notes on Java Security from the University of Washington

Other Models

If you have a different model you would like to see discussed, add a link to the words different protection models.

Problems to be Solved

Virus and Trojan Horse Prevention

Modern computers are infected with hostile programs (viruses or Trojan horses) with disturbing regularity. What requirements must be satisfied to prevent viruses from taking hold? Can the various proection models support these requirements? model?

Fault Containment

ActiveX uses a Authenticode^tm to authenticate software components, but this technology provides no protection against (unintentional) flaws or (intentional) attacks. A properly fault contained system would never crash because an erroneous application had been installed.

Confinement

Confinement is a step up on Fault Containment. In the confinement scenario, we want to make sure that the component cannot give our secrets away to someone else. For example, a text box control should not be able to send credit card numbers to a third party.

Collaboration Between Mutually Suspicious Parties

Mutual suspicion is a twist on confinement. In this case, the user wants to know that the component is confined, and the component author wants to know that the user cannot steal and examine the code or data used by the component.

Multilevel Security

In 1977, the National Bureau of Standards made the following statement in the report from the 1977 workshop on the Audit and Evaluation of Computer Systems:

... The point is that internal control mechanisms of current operating systems have too low integrity for them to... effectively isolate a user on the system from data that is at a `higher' security than he is trusted... to deal with.

Multilevel security systems are designed to solve this problem. In a multilevel security system, a user must be of sufficient authority to gain access to documents. The main problem is ensuring that such a user does not transmit those documents to someone at a lower authority level. While a few such systems have been completed, neither the systems themselves nor the ideas they embody have seen widespread use.

Got another interesting challenge problem? Link it the words another challenge problem and we'll incorporate it.

Solutions to Date

Confinement

Work by Jonathan Shapiro and Sam Weber at the University of Pennsylvania has proven mathematically that capability systems can support confinement. The paper, entitled Verifying Operating System Security is available online. We are working on making this proof available in commentable form.

Got another solution? Link it to the words another protection solution and we'll add it.

About the Fact Forum

The Foresight Fact Forum was inspired by the Science Court concept, originated by Prof. Arthur Kantrowitz, an advisor to Foresight Institute now at Dartmouth College, combined with hypertext publishing concepts from Ted Nelson, Doug Engelbart, Eric Drexler, and others.

Foresight Institute considers the building of reliable, secure software to be essential in a world of increasingly-ubiquitous computing. For more on Foresight Institute and how we are preparing for coming technologies including nanotechnology, see the main Foresight web site.

For ongoing nanotechnology  information, Register for a
To help prepare  for nanotechnology	Make a Donation to Support Foresight
To play a key role  in Foresight's efforts	Become a Senior Associate