On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks

Abstract : —Motivated by the problem of understanding the difference between practical access control and capability systems formally, we distill the essence of both in a language-based setting. We first prove that access control systems and (object) capabilities are fundamentally different. We further study capabilities as an enforcement mechanism for confused deputy attacks (CDAs), since CDAs may have been the primary motivation for the invention of capabilities. To do this, we develop the first formal characterization of CDA-freedom in a language-based setting and describe its relation to standard information flow integrity. We show that, perhaps suprisingly, capabilities cannot prevent all CDAs. Next, we stipulate restrictions on programs under which capabilities ensure CDA-freedom and prove that the restrictions are sufficient. To relax those restrictions, we examine provenance semantics as sound CDA-freedom enforcement mechanisms.
Type de document :
Communication dans un congrès
Computer Security Foundations, Jun 2016, Lisbon, Portugal. 2016, 〈10.1109/CSF.2016.18〉
Liste complète des métadonnées

Littérature citée [28 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01353963
Contributeur : Tamara Rezk <>
Soumis le : mardi 16 août 2016 - 14:34:16
Dernière modification le : lundi 20 août 2018 - 13:36:04
Document(s) archivé(s) le : jeudi 17 novembre 2016 - 10:27:34

Fichier

csf16Capabilities.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

Collections

Citation

Vineet Rajani, Deepak Garg, Tamara Rezk. On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks. Computer Security Foundations, Jun 2016, Lisbon, Portugal. 2016, 〈10.1109/CSF.2016.18〉. 〈hal-01353963〉

Partager

Métriques

Consultations de la notice

151

Téléchargements de fichiers

99