AskemosProtection06

This document describes the design and implementation of the 0.6 series of the AskemosProtection system (including a view notes on it's history). Most readers can easily skip that part without loss of information.

High Level Design

The first idea for this protection scheme came to me from VSTa? and worked very well with wrapbit. It handles subjunctive schemes. The outcome of the scheme is a hierarchy of subrights rooted by the creator (there is no superuser as common with operating systems). To solve the chicken and egg problem, there is a special right, secured by a secret placed on the physical machine, where the creator want's to authenticate. This right allows to create new user authentification frames and restrict user rights for that particular machine.

CAUTION

Special policy must be followed, this policy publically displayed and doing so so must be part of the license agreement -- when operators use this power. This policy should *at least* include a hard to forge notice dated prior to the operation, the rules for reasons, why the operation might be performed and a duration how long the note itself will be archived.

We end up the formula being the ultimate documentation for rights. Users will hopefully only see this formula one day, when they managed to loose a right they did not want to loose. Good luck: there might be a chance that you get the right back. If not, read this and understand why there is nobody who can help in this case. After all this lossage is somehow the prize you pay for freedom. If we had a chance to help via administration, this would be the back door for theft and abuse.

Hierarchical Rights

Next an early description from the requirements document.

There is no absolute super user mechanism.

A protection is assigned to each place. Based on the idea that everything is allowed until explicitly forbidden, we narrow what's allowed using this protection.

A protection is a sequence of documents called totem. A totem as such is "just a name", a symbol without data and context.

It's suggested that the document describes (for user and lawyer) how the permission granted so far is narrowed. But that's just a convention.

A set of capabilities is assigned to each message.

A capability is a sequence of totems, which could be part of a protection.

We say a capability dominates a protection if either

1. the first totem of the capability is the same as the first of the protection and the rest of the capability dominates the rest of the protection.
2. the capability is empty.

(define (dominates? prot capa . capas)
  (let loop ((prot prot)
             (capa (if (null? capa)
                       (error "dominates?: null-capability found.\n")
                       capa)))
    (cond
     ((null? capa) #t)
     ((null? prot) (if (null? capas) #f (apply dominates? prot capas)))
     ((not (and (pair? capa) (pair? prot))) #f) ; type check, "default"
     ((eq? (car capa) (car prot)) (loop (cdr prot) (cdr capa)))
     (else (if (null? capas) #f (apply dominates? prot capas))))))

Note: the point (b) makes a capability the "super user" capability of a set of protections. This is probably against intuition, but see next point.

To assure that there's no super user, it's impossible to assign an empty sequence as capability. A user can grant and revoke a subcapability of one of his capabilities to other users, this retains the super user concept for those cases where appropriate, but restricts it into a certain domain.

A subcapability sc of a capability c is a capability if dominates(sc c) and sc != c.

Functional Rights

The plain realm handling would require that we explicitly grant each and every access. This is ok for delegation alike cases. We want to be prepared for publishing situations. Here it's much better to have an ACL or (german: disjunktive Rechte) rights. Here I do an experiment and encode that implicit within the protection. ...

There is a second hierarchy, which we call functional which is determines the task at hand. Such a right fr is granted if a protection fp is dominated by a capability, which consists of the rest of the original protection p with the first element is left.

(define (serves function . capabilities)
  ;; ... the protection is shortened.  If that's dominated by the
  ;; request we've found the service level.
  (let loop ((function function))
    (cond
     ((null? function) #f)
     ((apply dominates? function capabilities) function)
     (else (loop (cdr function))))))

A service level is a convenience function, which puts both the basic mechanism into a short function. It's function, which accepts a variable number of documents (or symbols for sake of development costs) to be used as subset of the protection to dominate or serve. If we find something in the public domain, we can take it over.

It returns the right, which explains the access. This could be either the owner of the frame, the right which was granted from the owner or someone service permit, under which the frame was opened and which was also assigned to the owner of the capabilities.

(define (make-service-level protection capabilities)
  (if protection
      (if (pair? protection)
          (lambda subs
            (let ((protection (apply append protection subs)))
              (if (apply dominates? protection capabilities)
                  #t
                  (apply serves protection capabilities))))
          (error "illegal protection ~s" protection))
      (lambda args #t)))

TODO

1. Make sure that the mechanism can do whatever the domain type system described at http://research-cistw.saic.com/cace/dte.html can do.
2. See whether http://www.cl.cam.ac.uk/users/rja14/ and http://bejtlich.home.texas.net/intv2-1.txt are related at all, just found the reference close to the domain type system (see TODO 1).
3. Fix the comment related to TODO 2 in the code.
4. Dig out that security firm, which I heard about today 2000-07-26. The are reported to implement an apparently isomorph operation with chip cards.
5. Find out what caja has on offer. http://code.google.com/p/google-caja/

Related Work

Domain Type System http://research-cistw.saic.com/cace/dte.html

http://cap-lore.com/CapTheory/index.html

A hardware TCB controlling dynamic data dissemination
with respect to a lattice-based information flow policy.
http://pag.lcs.mit.edu/6.893/readings/brown-tr15.ps

Xena xml access control at element level,
http://www10.org/cdrom/posters/p1096/

;; For active actions there are two assumptions possible:
;;
;; a) for all slots attempts are made to set them as requested.  This
;; is technical equivalent to dump file system semantics (with
;; addition of some meta data held in attributes).  At the philosophic
;; level this means that every public right can be used by everyone as
;; pleasant.  This is at least not democracy, more like anarchy.  You
;; can certain construct secure systems this way, but you will
;; definitely need an absolute power (a potential tyrann).
;;
;; b) public places are safe from any single request.  They just throw
;; an exception.