On Access Control, Capabilities, Their Equivalence, and Confused Deputy Attacks

Motivated by the problem of understanding the difference between practical access control and capability systems formally, we distill the essence of both in a language-based setting. We first prove that access control systems and (object) capabilities are fundamentally different. We further study capabilities as an enforcement mechanism for confused deputy attacks (CDAs), since CDAs may have been the primary motivation for the invention of capabilities. To do this, we develop the first formal characterization of CDA-freedom in a language-based setting and describe its relation to standard information flow integrity. We show that, perhaps suprisingly, capabilities cannot prevent all CDAs. Next, we stipulate restrictions on programs under which capabilities ensure CDA-freedom and prove that the restrictions are sufficient. To relax those restrictions, we examine provenance semantics as sound CDA-freedom enforcement mechanisms.

[1]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[2]  Ajay Chander,et al.  A state-transition model of trust management and access control , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[3]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[4]  Sophia Drossopoulou,et al.  Swapsies on the Internet: First Steps towards Reasoning about Risk and Trust in an Open World , 2015, PLAS@ECOOP.

[5]  Liviu Iftode,et al.  Enforcing authorization policies using transactional memory introspection , 2008, CCS.

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Mark S. Miller,et al.  Capability Myths Demolished , 2003 .

[9]  D. Garg,et al.  A Logic of Programs with Interface-Confined Code , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[10]  Arnar Birgisson,et al.  Capabilities for information flow , 2011, PLAS '11.

[11]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[12]  Sophia Drossopoulou,et al.  How to Break the Bank: Semantics of Capability Policies , 2014, IFM.

[13]  Cédric Fournet,et al.  Cryptographically sound implementations for typed information-flow security , 2008, POPL '08.

[14]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control , 1998, Adv. Comput..

[16]  Sophia Drossopoulou,et al.  The need for capability policies , 2013, FTfJP@ECOOP.

[17]  Frank Pfenning,et al.  Non-interference in constructive authorization logic , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[18]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[19]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[20]  Gérard Boudol,et al.  Secure Information Flow as a Safety Property , 2009, Formal Aspects in Security and Trust.

[21]  Peng Li Yun Mao Steve Zdancewic Information Integrity Policies , 2003 .

[22]  Robbert van Renesse,et al.  Experiences with the Amoeba distributed operating system , 1990, CACM.

[23]  Scott Moore,et al.  Declarative Policies for Capability Control , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[24]  Dominique Devriese,et al.  Reasoning about Object Capabilities with Logical Relations and Effect Parametricity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[25]  Kathi Fisler,et al.  Features and object capabilities: reconciling two visions of modularity , 2012, AOSD.

[26]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[27]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[28]  Gavin Lowe,et al.  Analysing the Information Flow Properties of Object-Capability Patterns , 2009, Formal Aspects in Security and Trust.

[29]  Mike Shema Cross-Site Request Forgery , 2010 .