Download presentation
Presentation is loading. Please wait.
Published byOscar Hodges Modified over 8 years ago
1
CapTP: Distributed Capability Security Mark Miller, Marc Stiegler CTO & COO, Combex, Inc. www.erights.org www.combex.com
2
CapTP: Capability Transport Protocol ● Distributed Object-Capability Security ● Communicating Event Loops ● Asynchronous Pipelined Promises Capability Object Message Vat Process / Machine
3
Overview of CapTP ● Distributed Capability Security ------------- as time permits: -------------- ● Communicating event loops Deadlock-free, non-blocking concurrency control ● Asynchronous Pipelined Promises Massive latency compensation “Whiteboard” animation ● Remaining features Partition & recovery support, Distr equality Adversarial distr GC, Partially ordered delivery
4
Distributed Capability Overview ● What went wrong? ● What are object-capabilities? ● What aren't they? ● Why capabilities? ● What's been set right? ● Distributed caps, how? ● Patterns and examples
5
What Went Wrong? ● Walls + holes are no architecture ● ACLs can't do POLA The cashier & the wallet ● Layering Failure:
6
What Are Object-Capabilities? ● By Introduction –ref to Carol –ref to Bob –decides to share ● By Parenthood ● By Construction ● By Initial Conditions ● Absolute Encapsulation ● Only source of authority Alice says: bob.foo(carol)
7
What Aren't They? “Capability Myths Demolished” Equivalence? Revocability? Confinement? http://zesty.ca/capmyths/usenix.pdf Capabilities as Rows Capabilities as Keys
8
Capability Myths Demolished Models mostly missed virtues of actual systems
9
Capabilities == O-O Security ● Capability discipline -> good software engineering ● Good software engineering -> capability discipline ● Modularity -> omit needless dependencies Required trust is a form of dependency Information hiding -> “need to know” POLA -> “need to do” Security is the extreme of modularity ● Security Abstraction Mechanisms ● Patterns of Cooperation Without Vulnerability
10
What's Been Set Right? ● Designation + Authority is an architecture Avoids “Confused Deputy” problems ● POLA emerges naturally Acts of designation also convey least authority ● Direct Correspondence Reify customer's “rights” as objects Business logic built as security abstractions “Capability-based Financial Instruments” at FC2000
11
● Solving both impostor problems ● Fully decentralized designation and authorization ● Mobility: (Fingerprint + hint) as network address Distributed Caps, How?
13
Distributed Cap Pattern: The Revocable Facet def makeRevoker(var precious) :any { def r { to pass(verb, args) :any { E.send(precious, verb, args) } to revoke() { precious := null } } def f { match [verb, args] { r.pass(verb, args) } [f, r] } “E in a Walnut” www.skyhunter.com/marcs/ewalnut.html
14
Distributed Cap Example: Money def makeMint(name) :any { def [sealer, unsealer] := makeBrandPair(name) def mint { to makePurse(var balance :(integer >= 0)) :any { def decr(amount :(0..balance)) { balance -= amount } def purse { to getBalance() :any { balance } to sprout() :any { mint.makePurse(0) } to getDecr() :any { sealer.seal(decr) } to deposit(amount :int, src) { unsealer.unseal(src.getDecr())(amount) balance += amount }
15
Status & Experiences ● CapTP implemented for Java and E, in progress for Squeak ● Switching to WOS serialization standard ● Capability-secure distr desktop for DARPA ● Decentralized graphical social virtual reality Extensible massively multiplayer game ● Global high-security enterprise infrastructure ● Tutorial: 5 page capability-secure chat
16
Overview of CapTP ✔ Distributed Capability Security ------------- as time permits: -------------- ● Communicating event loops Deadlock-free, non-blocking concurrency control ● Asynchronous Pipelined Promises Massive latency compensation “Whiteboard” animation ● Remaining features Partition & recovery support, Distr equality Adversarial distr GC, Partially ordered delivery
17
Why no Threads & Locks? Scylla and Charybdis
18
Communicating Event Loops Deadlock-free, non-blocking concurrency control Known near reference “Immediate” call-return: val := bob.foo(carol) Sequential stacking no synchronized blocks Happens now Partition impossible Possibly remote reference “Eventual” one-way send: promise := bob <- foo(carol) Event-loop queuing no synchronized blocks Happens later, and in order... … unless partitioned
19
Distributed Queuing
20
Asynchronous Pipelined Promises Massive latency compensation t3 := (x <- a()) <- c(y <- b()) Expands to... t1 := x <- a() t2 := y <- b() t3 := t1 <- c(t2) Message always moves towards arrowhead.
31
Remaining CapTP Features Stay tuned to www.erights.org for more on these ● Partition & recovery support Live vs. Sturdy references ● Adversarial distributed acyclic GC ● Distributed equality – tricky to define The Grant Matcher Puzzle ● Partially ordered message delivery When can the tortoise pass the hare? Forks and joins in the message-order graph ● Distributed causality-flow debugging in progress
32
Bibliography ● Capability Myths Demolished zesty.ca/capmyths/usenix.pdf ● E in a Walnut www.skyhunter.com/marcs/ewalnut.html ● Capability-based Financial Instruments (the “Ode”) www.erights.org/elib/capability/ode/index.html ● Intro to Capability-based Security www.skyhunter.com/marcs/capabilityIntro/index.html ● Statements of Consensus www.erights.org/elib/capability/consensus-9feb01.html ● The CapTP Protocol (including its VatTP substrate) www.erights.org/elib/distrib/vattp/index.html www.erights.org/elib/distrib/captp/index.html ● WOMP & WOS www.waterken.com/dev/Web/Message/ ● Web sites: www.erights.org www.combex.com www.eros-os.org www.cap-lore.com/CapTheory www.capidl.org www.waterken.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.