NuNuProtection

Schutzmechanismus

Requirements

• there is a seperate value space for rights
• robust agains known attacks (except denial of service)
• it's impossible to extend rights or derive rights from other values spaces
• work like humans beings assign capabilities among each other
• creation of new rights: durch exogame Einigung

HLD?

FIXME: This text is a bit rough. I'll fix as soon as questions arise.

The first idea for this protection scheme came to me from VSTa? and worked very well with wrapbit. It handles conjunctive (english?) schemes. The outcome of the scheme is a hirarchy of subrights rooted by the creator (there is no superuser as common with operating systems). To solve the chicken and egg problem, there is a special right, secured by a secret placed on the physical machine, where the creator want's to authenticate. This right allows to create new user authentification frames and restrict user rights.

CAUTION

Special policy must be followed, this policy publically displayed and doing so so is part of the license agrement -- when operators use this power. This policy should *at least* include a hard to forge notice dated prior to the operation, the rules for reasons, why the operation might be performed and a duration how long the note itself will be archived.

NiceToHave? The dominates? predicate and serves function could also be described as a set difference operation. This should introduce this chapter.

We end up the fomula being the ultimate documentation for rights. Users will hopefully only see this fomula one day, when they managed to loose a right they did not want to loose. Good luck: there might be a chance that you get the right back. If not, read this and understand why there is nobody who can help in this case. After all this loosage is somehow the prize you pay for freedom. If we had a chance to help via administration, this would be the backdoor for theft and abuse.

Hirachical Rights

Next an early description from the requirements document.

There is no absolute super user mechanism.

A protection is assigned to each place. Based on the idea that everything is allowed until explicitly forbidden, we narrow what's allowed using this protection.

A protection is a sequence of documents called totem. A totem as such is "just a name", a symbol without data and context.

It's suggested that the document describes (for user and lawyer) how the permission granted so far is narrowed. But that's just a convention.

A set of capabilities is assigned to each message.

A capability is a sequence of totems, which could be part of a protection.

We say a capability dominates a protection if either

1. the first totem of the capability is the same as the first of the protection and the rest of the capability dominates the rest of the protection.
2. the capabilitiy is empty.

(define (dominates? prot capa . capas)
  (let loop ((prot prot)
             (capa (if (null? capa)
                       (error "dominates?: null-capability found.\n")
                       capa)))
    (cond
     ((null? capa) #t)
     ((null? prot) (if (null? capas) #f (apply dominates? prot capas)))
     ((not (and (pair? capa) (pair? prot))) #f) ; type check, "default"
     ((eq? (car capa) (car prot)) (loop (cdr prot) (cdr capa)))
     (else (if (null? capas) #f (apply dominates? prot capas))))))

Note: the point (b) makes a capability the "super user" capability of a set of protections. This is probably against intuition, but see next point.

To assure that there's no super user, it's impossible to assign an empty sequence as capability. A user can grant and revoke a subcapability of one of his capabilities to other users, this retains the super user concept for those cases where appropriate, but restricts it into a cetain domain.

A subcapability sc of a capability c is a capability if dominates(sc c) and sc != c.

Functional Rights

The plain realm handling would require that we explicitly grant each and every access. This is ok for deligation alike cases. We want to be prepared for publishing situations. Here it' much better to have an ACL or conjunctive rights. Here I' doing an experiment and encode that implicit within the protection. ...

There is a second hirachy, which we call functional which is determines the task at hand. Such a right fr is granted if a protection fp is dominated by a capability, which consists of the rest of the original protection p with the first element is left.

(define (serves function . capabilities)
  ;; ... the protection is shortened.  If that's dominated by the
  ;; request we've found the service level.
  (let loop ((function function))
    (cond
     ((null? function) #f)
     ((apply dominates? function capabilities) function)
     (else (loop (cdr function))))))

A service level is a convinience function, which puts both the basic mechanism into a short function. It's function, which accepts a variable number of documents (or symbols for sake of development costs) to be used as subset of the protection to dominate or serve. If we find something in the public domain, we can take it over.

It returns the right, which explains the access. This could be either the owner of the frame, the right which was granted from the owner or someone service permit, under which the frame was opened and which was also assigned to the owner of the capabilities.

(define (make-service-level protection capabilities)
  (if protection
      (if (pair? protection)
          (lambda subs
            (let ((protection (apply append protection subs)))
              (if (apply dominates? protection capabilities)
                  #t
                  (apply serves protection capabilities))))
          (error "illegal protection ~s" protection))
      (lambda args #t)))

TODO

1. Make sure that the mechnism can do whatever the domain type system described at http://research-cistw.saic.com/cace/dte.html can do.
2. See whether http://www.cl.cam.ac.uk/users/rja14/ and http://bejtlich.home.texas.net/intv2-1.txt are related at all, just found the reference close to the domain type system (see TODO 1).
3. Fix the comment related to TODO 2 in the code.
4. Extend http://www.dazuko.org or alike to create an interface at file system level.

Related Work

Domain Type System http://research-cistw.saic.com/cace/dte.html

http://www.erights.org/ Distributed Capabilities found 2002 due to pointer from N. E. Walker; to be evaluated. There's an expression and programming language in the altol style (i.e., C/C++/Java alike) if that's it, we need something else...

;; For active actions there are two assumtions possible:
;;
;; a) for all slots attempts are made to set them as requested.  This
;; is technical equivalent to dump file system semantics (with
;; addition of some meta data held in attributes).  At the philosphic
;; level this means that every public right can be used by everyone as
;; pleasant.  This is at least not democracy, more like anarchy.  You
;; can certainl construct secure systems this way, but you will
;; definately need an absolute power (a potential tyrann).
;;
;; b) public places are safe from any single request.  They just throw
;; an exception.