horton’s who done it? communicating authority with responsibility tracking mark s. miller google...

Horton’s Who Done It?

Communicating Authority with

Responsibility Tracking

Mark S. Miller Google Research1

Jed Donnelley LBNL/NERSC

Alan H. Karp HP Labs

Usenix HotSec Workshop, August 7, 2007

1Work done while at HP Labs

Alice

Alice

Doc Chapters:

Chapter 1…

Chapter 1…

BobAlice

Communicating Object Access with Delegation

Initial Conditions:

Alice has: 1. A capability to send to Bob and 2. A capability to a document with chapters.

Doc Chapters:

Chapter 1…

BobAlice

Alice

Capability Communication of the Document Reference

Alice

here’s( )

Chapter 1…

Alice sends a message to Bob containinga reference to the document.

Alice

Alice

Doc Chapters:

Chapter 1…

Chapter 1…

BobAlice

Alice-

>Bob

Alice can’t act with Bob’s responsibilityBob can’t act with Alice’s responsibility

Horton Magic: Bob Receives a Delegated Capability

Delegating Least Authority

A B

C


A B

C

b.foo(c)


A B

C

foo( )


A B

C


A B

C

• Msgs are only means to cause effects

• Refs control authority

• Leverage OO patterns


A B

C

• Msgs are only means to cause effects

• Refs control authority

• Leverage OO patterns

• Anonymous

Alice

Can’t vet code or actions of each object.

Alice

A

Can’t vet code or actions of each object.

Aggregate into long-lived responsible identity.

Two styles, relative strengths

Automated

Fine-grained

Built for safety

Least authority

Virus resistant

Authorization-based

Object-capabilities (ocaps)

Human decisions

Large-grained

Built for damage control

Most responsibility

Spam resistant

Identity-based

ACLs

?


Automated

Fine-grained

Built for safety

Least authority

Virus resistant

Authorization-based


Human decisions

Large-grained


Most responsibility

Spam resistant

Identity-based

ACLs

Polaris, Plash


Automated

Fine-grained

Built for safety

Least authority

Virus resistant

Authorization-based


Human decisions

Large-grained


Most responsibility

Spam resistant

Identity-based

ACLs+ “Hybrid” Cap Systems (SCAP, Sys/38)


Automated

Fine-grained

Built for safety

Least authority

Virus resistant

Authorization-based


Human decisions

Large-grained


Most responsibility

Spam resistant

Identity-based

ACLs

?


Automated

Fine-grained

Built for safety

Least authority

Virus resistant

Authorization-based


Human decisions

Large-grained


Most responsibility

Spam resistant

Identity-based

ACLs

Horton

Story Needs Four Characters

Alice & Bob• Old patterns for identity-based control

Alice introduces Bob & Carol• Builds new relationships from old

Carol also hears of Bob from Dave• Corroborates Bob’s independence from Alice

Two-party intermediation

A message travels through anidentity tunnel

A B

Bob

Alice Bob

Alice

A B

Bob

Alice Bob

Aliceb.foo()

A Bfoo()

Bob

Alice Bob

Alice

A B

Bob

Alice Bob

Alice

foo()

Do I still use Bob’s services?

A B

Bob

Alice Bob

Alice

Bob, deliver to Bfoo()

A B

Bob

Alice Bob

Alice

deliver(“foo”,[])

A B

Bob

Alice Bob

Alice

foo()

Do I still honorAlice’s requests?

A B

Bob

Alice Bob

Alice

Deliver toB for Alice

foo()

A B

Bob

Alice Bob

Alice

foo()

A B

Alice Bob

Three-party intermediation

Build new relationships from old

A B

Alice Bob

C

Carol

A B

Alice Bob

C

Carol

b.foo(c)

A B

Alice Bob

C

Carol

foo( )

A B

Alice Bob

C

Carol

intro( )

Bob

Carol, please provide Bob access to C

foo(?)

A B

Alice Bob

C

Carol

intro( )

Bob


foo(?)

Alice needs tunnel for Bob

A B

Alice Bob

C

Carol

intro( )

BobGift wrap it

for Bob


foo(?)

A B

Alice Bob

C

Carol

intro( )

BobGift wrap it

for Bob

To BobFrom Carol


foo(?)

A B

Alice Bob

C

Carol

intro( )

Bobreturn Bob’sgift to Alice

To BobFrom Carol


foo(?)

A B

Alice Bob

C

Carol

To BobFrom Carol

Bob, deliver “fo__ to B with

Carol’s ( )foo( )

A B

Alice Bob

C

Carol

To BobFrom Carol

deliver(“foo”,[[ , ]])

Carol

A B

Alice Bob

C

Carol

To BobFrom Carol

deliver(“foo”,[[ , ]])

Carol

Unwrap Carol’sgift from Alice

A B

Alice Bob

C

Carol

foo( )

Unwrap Carol’sgift from Alice

A B

Alice Bob

C

Carol

foo( )

A B

Alice Bob

C

Carol

Four party intermediation

Only corroborating introductions let Alice shed blame

A B

Alice

Bob

C

Carol

Is Bob a pseudonymfor Alice?

A B

Alice Bob

C

Carol

Is Carol a pseudonymfor Alice?

A B

Alice Bob

C

Carol

A B

Alice Bob

C D

Carol Dave

A B

Alice Bob

C D

Carol Dave

bar( )

A B

Alice Bob

C D

Carol Dave

A B

Alice Bob

C D

Carol Dave

Bob

A B

Alice Bob

C D

Carol Dave

Bob

Carol

Better Identities than ACLs

No global administrator or name server

Track bilateral responsibility• For requests and for service

Track delegation chain• Revoke only improperly delegated rights

Sybil resistant aggregation strategy

Corroboration-driven disaggregation

Conclusions

Fine-grain least authorizations for safety.

Large-grain identities for damage control.

Horton is a protocol “scaffold” on which to hang identity-based policies,

transparently to interacting app-objects.

Supports delegating narrow authority, whileassigning responsibility for using that authority.

Three-party intermediation

The details

Rights Amplification

• Inspired by PK

• Simple oo pattern

• No explicit crypto

• Can represent responsible identity

b.foo(c)

Bob, please use Carol’s C

Make a stub for Bob’s use

Gift wrap it for Bob

wrap(s3, whoBob, beCarol)


pr


pr

seal( )


pr

return gift

pr

unwrap( , whoCarol, beBob)

pr


pr

unseal( )


pr


pr

seal

( )


pr


pr

( )


pr


pr

( )

makeProxy(..)

E.call(..)

A B

Alice Bob

C D

Carol Dave

B

Bob

C D

Carol Dave

CapWiki with attribution

The Web: Good, Bad, and Ugly:

1. Good: Internet hypertext, wonderful!

2. Bad: Username/passwords for every site that has any sort of access control.

3. Ugly: Hard to share limited access to network objects. Hard to combine network objects with access restrictions.

Sends:BobSendEveSendIvanSend

Alice’s Domain

CapWikiFinances:InvestorMarket

Ali ce’s

Alice’s Domain

CapWiki:CapWiki Stuff:ConceptsFinancesOther


Sends:AliceSendDaveSend


Alice’s Domain Bob’s Domain

Ali ce’s

Receives:AliceReceive



CapWiki:CapWiki Stuff:ConceptsFinancesOther Sends:

AliceSendDaveSend



Ali ce’s

Receives:*AliceReceive







Ali ce’ s

Alice BobSends:BobSendEveSendIvanSend






Ali ce’ s

Alice Bob

Alice Bob







Ali ce’ s

Here are theCapWiki:FinancesDave

Receives:BobReceiveDaves’s Domain

Bo b’s


Alice Bob

Alice Bob





Ali ce’ s


Receives:* BobReceiveDaves’s Domain

Bo b’s



Alice Bob

Alice Bob





Ali ce’ s


Receives:BobReceive

Bo b’s

Bob D

ave


Daves’s Domain


Alice Bob

Alice Bob


Receives:*AliceReceive



Ali ce’ s


Receives:BobReceive

Bo b’s

Bob D

ave

Alice Bob Dave



Daves’s Domain

Alice Bob

Alice Bob

Better Web Access Control

• No more passwords – Send a <me>Send to a <service>Send. They know who you are, you know who they are.

• Side benefit – SPAM resistance. Don’t like a source of SPAM, cut it off to any delegation level.

• Principle Of Least Authority (POLA) sharing that can facilitate cross site services.

horton’s who done it? communicating authority with responsibility tracking mark s. miller google...

Documents

alicecant vet code

sys38two styles

aliceatwo styles

plashtwo styles

document referencedoc

capability communication

bobs responsibilitybob

horton magic