Presentation is loading. Please wait.

Presentation is loading. Please wait.

CapTP: Distributed Capability Security Mark Miller, Marc Stiegler CTO & COO, Combex, Inc. www.erights.org www.combex.com.

Published byOscar Hodges Modified over 8 years ago

Similar presentations

Presentation on theme: "CapTP: Distributed Capability Security Mark Miller, Marc Stiegler CTO & COO, Combex, Inc. www.erights.org www.combex.com."— Presentation transcript:

1 CapTP: Distributed Capability Security Mark Miller, Marc Stiegler CTO & COO, Combex, Inc. www.erights.org www.combex.com

2 CapTP: Capability Transport Protocol ● Distributed Object-Capability Security ● Communicating Event Loops ● Asynchronous Pipelined Promises Capability Object Message Vat Process / Machine

3 Overview of CapTP ● Distributed Capability Security ------------- as time permits: -------------- ● Communicating event loops Deadlock-free, non-blocking concurrency control ● Asynchronous Pipelined Promises Massive latency compensation “Whiteboard” animation ● Remaining features Partition & recovery support, Distr equality Adversarial distr GC, Partially ordered delivery

4 Distributed Capability Overview ● What went wrong? ● What are object-capabilities? ● What aren't they? ● Why capabilities? ● What's been set right? ● Distributed caps, how? ● Patterns and examples

5 What Went Wrong? ● Walls + holes are no architecture ● ACLs can't do POLA The cashier & the wallet ● Layering Failure:

6 What Are Object-Capabilities? ● By Introduction –ref to Carol –ref to Bob –decides to share ● By Parenthood ● By Construction ● By Initial Conditions ● Absolute Encapsulation ● Only source of authority Alice says: bob.foo(carol)

7 What Aren't They? “Capability Myths Demolished” Equivalence? Revocability? Confinement? http://zesty.ca/capmyths/usenix.pdf Capabilities as Rows Capabilities as Keys

8 Capability Myths Demolished Models mostly missed virtues of actual systems

9 Capabilities == O-O Security ● Capability discipline -> good software engineering ● Good software engineering -> capability discipline ● Modularity -> omit needless dependencies Required trust is a form of dependency Information hiding -> “need to know” POLA -> “need to do” Security is the extreme of modularity ● Security Abstraction Mechanisms ● Patterns of Cooperation Without Vulnerability

10 What's Been Set Right? ● Designation + Authority is an architecture Avoids “Confused Deputy” problems ● POLA emerges naturally Acts of designation also convey least authority ● Direct Correspondence Reify customer's “rights” as objects Business logic built as security abstractions “Capability-based Financial Instruments” at FC2000

11 ● Solving both impostor problems ● Fully decentralized designation and authorization ● Mobility: (Fingerprint + hint) as network address Distributed Caps, How?

12

13 Distributed Cap Pattern: The Revocable Facet def makeRevoker(var precious) :any { def r { to pass(verb, args) :any { E.send(precious, verb, args) } to revoke() { precious := null } } def f { match [verb, args] { r.pass(verb, args) } [f, r] } “E in a Walnut” www.skyhunter.com/marcs/ewalnut.html

14 Distributed Cap Example: Money def makeMint(name) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(integer >= 0)) :any { def decr(amount :(0..balance)) { balance -= amount } def purse { to getBalance() :any { balance } to sprout() :any { mint.makePurse(0) } to getDecr() :any { sealer.seal(decr) } to deposit(amount :int, src) { unsealer.unseal(src.getDecr())(amount) balance += amount }

15 Status & Experiences ● CapTP implemented for Java and E, in progress for Squeak ● Switching to WOS serialization standard ● Capability-secure distr desktop for DARPA ● Decentralized graphical social virtual reality Extensible massively multiplayer game ● Global high-security enterprise infrastructure ● Tutorial: 5 page capability-secure chat

16 Overview of CapTP ✔ Distributed Capability Security ------------- as time permits: -------------- ● Communicating event loops Deadlock-free, non-blocking concurrency control ● Asynchronous Pipelined Promises Massive latency compensation “Whiteboard” animation ● Remaining features Partition & recovery support, Distr equality Adversarial distr GC, Partially ordered delivery

17 Why no Threads & Locks? Scylla and Charybdis

18 Communicating Event Loops Deadlock-free, non-blocking concurrency control Known near reference “Immediate” call-return: val := bob.foo(carol) Sequential stacking no synchronized blocks Happens now Partition impossible Possibly remote reference “Eventual” one-way send: promise := bob <- foo(carol) Event-loop queuing no synchronized blocks Happens later, and in order... … unless partitioned

19 Distributed Queuing

20 Asynchronous Pipelined Promises Massive latency compensation t3 := (x <- a()) <- c(y <- b()) Expands to... t1 := x <- a() t2 := y <- b() t3 := t1 <- c(t2) Message always moves towards arrowhead.

21

22

23

24

25

26

27

28

29

30

31 Remaining CapTP Features Stay tuned to www.erights.org for more on these ● Partition & recovery support Live vs. Sturdy references ● Adversarial distributed acyclic GC ● Distributed equality – tricky to define The Grant Matcher Puzzle ● Partially ordered message delivery When can the tortoise pass the hare? Forks and joins in the message-order graph ● Distributed causality-flow debugging in progress

32 Bibliography ● Capability Myths Demolished zesty.ca/capmyths/usenix.pdf ● E in a Walnut www.skyhunter.com/marcs/ewalnut.html ● Capability-based Financial Instruments (the “Ode”) www.erights.org/elib/capability/ode/index.html ● Intro to Capability-based Security www.skyhunter.com/marcs/capabilityIntro/index.html ● Statements of Consensus www.erights.org/elib/capability/consensus-9feb01.html ● The CapTP Protocol (including its VatTP substrate) www.erights.org/elib/distrib/vattp/index.html www.erights.org/elib/distrib/captp/index.html ● WOMP & WOS www.waterken.com/dev/Web/Message/ ● Web sites: www.erights.org www.combex.com www.eros-os.org www.cap-lore.com/CapTheory www.capidl.org www.waterken.com

Download ppt "CapTP: Distributed Capability Security Mark Miller, Marc Stiegler CTO & COO, Combex, Inc. www.erights.org www.combex.com."

Similar presentations

MPI Message Passing Interface

MPI Message Passing Interface
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
JavaSpaces and TSpaces Theresa Tamash CDA 5937 November 4, 2002.

JavaSpaces and TSpaces Theresa Tamash CDA 5937 November 4, 2002.
A Scalable Virtual Registry Service for jGMA Matthew Grove CCGRID 2005 - WIP May 2005.

A Scalable Virtual Registry Service for jGMA Matthew Grove CCGRID WIP May 2005.
The road to reliable, autonomous distributed systems

The road to reliable, autonomous distributed systems
1 Lecture 12: Hardware/Software Trade-Offs Topics: COMA, Software Virtual Memory.

1 Lecture 12: Hardware/Software Trade-Offs Topics: COMA, Software Virtual Memory.
Virtual Synchrony Jared Cantwell. Review Multicast Causal and total ordering Consistent Cuts Synchronized clocks Impossibility of consensus Distributed.

Virtual Synchrony Jared Cantwell. Review Multicast Causal and total ordering Consistent Cuts Synchronized clocks Impossibility of consensus Distributed.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Erlang concurrency. Where were we? Finished talking about sequential Erlang Left with two questions  retry – not an issue; I mis-read the statement in.

Erlang concurrency. Where were we? Finished talking about sequential Erlang Left with two questions  retry – not an issue; I mis-read the statement in.
Concurrency CS 510: Programming Languages David Walker.

Concurrency CS 510: Programming Languages David Walker.
1 Lecture 1: Parallel Architecture Intro Course organization:  ~5 lectures based on Culler-Singh textbook  ~5 lectures based on Larus-Rajwar textbook.

1 Lecture 1: Parallel Architecture Intro Course organization:  ~5 lectures based on Culler-Singh textbook  ~5 lectures based on Larus-Rajwar textbook.
Overview Distributed vs. decentralized Why distributed databases

Overview Distributed vs. decentralized Why distributed databases
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
OSD Metadata Management

OSD Metadata Management
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
1 On the Duality of Operating System Structures Hugh Lauer, Xerox Roger Needham, Cambridge University Oct 1978, reprinted April 1979 Presented by David.

1 On the Duality of Operating System Structures Hugh Lauer, Xerox Roger Needham, Cambridge University Oct 1978, reprinted April 1979 Presented by David.
Concurrency, Threads, and Events Robbert van Renesse.

Concurrency, Threads, and Events Robbert van Renesse.
Communication in Distributed Systems –Part 2

Communication in Distributed Systems –Part 2

Similar presentations

Ads by Google