On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks

Abstract : —Motivated by the problem of understanding the difference between practical access control and capability systems formally, we distill the essence of both in a language-based setting. We first prove that access control systems and (object) capabilities are fundamentally different. We further study capabilities as an enforcement mechanism for confused deputy attacks (CDAs), since CDAs may have been the primary motivation for the invention of capabilities. To do this, we develop the first formal characterization of CDA-freedom in a language-based setting and describe its relation to standard information flow integrity. We show that, perhaps suprisingly, capabilities cannot prevent all CDAs. Next, we stipulate restrictions on programs under which capabilities ensure CDA-freedom and prove that the restrictions are sufficient. To relax those restrictions, we examine provenance semantics as sound CDA-freedom enforcement mechanisms.
Document type :
Conference papers
Complete list of metadatas

Cited literature [28 references]  Display  Hide  Download

https://hal.inria.fr/hal-01353963
Contributor : Tamara Rezk <>
Submitted on : Tuesday, August 16, 2016 - 2:34:16 PM
Last modification on : Monday, August 20, 2018 - 1:36:04 PM
Long-term archiving on : Thursday, November 17, 2016 - 10:27:34 AM

File

csf16Capabilities.pdf
Files produced by the author(s)

Identifiers

Collections

Citation

Vineet Rajani, Deepak Garg, Tamara Rezk. On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks. Computer Security Foundations, Jun 2016, Lisbon, Portugal. ⟨10.1109/CSF.2016.18⟩. ⟨hal-01353963⟩

Share

Metrics

Record views

199

Files downloads

234