1. CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz

2. Exam review…

3. Example use of capabilities  From “The Confused Deputy,” by Hardy  Compiler in directory SYS –User can provide file for debugging output –Compiler can write statistics to SYS/stat Compiler given ability to write to SYS  User set debugging file to SYS/billing –Allowed… –Overwrote billing file!

4. Example continued…  Underlying problem: authority from two sources: static + authority of caller  How to solve this problem? –Check filenames explicitly? They can change… Legitimate access to SYS files… –Add specific list of conditions? Complexity grows –Switch authorities? What if more than two authorities are possible? –ACLs do not work… (why?)

5. Suggested solution  Use capabilities –Give compiler capability to write to SYS/stat –Calling user can provide additional capabilities, if needed –Compiler must explicitly designate capabilities to use in a particular situation

6. “Capability myths…”  Equivalence myth: ACLs and capabilities are “just” two views of the AC matrix  Confinement myth: Capability systems cannot enforce confinement  Irrevocability myth: Capabilities cannot be revoked

7. Equivalence myth  ACLs have “arrows” from objects to subjects; capabilities have “arrows” from subjects to objects  Capabilities do not require subjects to “know” object names a priori  Capabilities do not require subjects to “know” whether they have authority