Why capabilities? Short statement for SOSP History Day.
SOSP History Day http://www.ssrc.ucsc.edu/sosp15/workshops/HistoryDay/
was a superb event. It was all recorded and the recordings will be made public. Capabilities were repeatedly mentioned in the presentations much more often than I expected, and mostly positively.
I was on a panel at the end of the day whose topic was
"Is Security a Hopeless Quest?"
Each panelist opened with a 5 minute statement. I tried to boil down the case for capabilities into the shortest clearest statement I could for an informed audience. Here is what I said. Feel free to forward.
In the ‘70s, there were two main access control models:
the identity-centric model of access-control lists
and the authorization-centric model of capabilities.
For various reasons the world went down the identity-centric path,
resulting in the situation we are now in.
On the identity-centric path, why is security likely a hopeless quest?
When we build systems, we compose software written by different people.
These composed components may cooperate as we intend,
or they may destructively interfere.
We have gotten very good at avoiding accidental interference
by using abstraction mechanisms and designing good abstraction boundaries.
By composition, we have delivered astonishing functionality to the world.
Today, when we secure systems, we assign authority to identities.
When I run a program, it runs as me.
The square root function in my math library can delete my files.
Although it does not abuse this excess authority,
if it has a flaw enabling an attacker to subvert it,
then anything it may do, the attacker can do.
It is this excess authority that invites most of the attacks we see in the world today.
By contrast, when we secure systems with capabilities,
we work with the grain of how we organize software for functionality.
At every level of composition,
from programming language to operating systems to distributed services,
we design abstraction boundaries so that a component’s interface
only requires arguments that are somehow relevant to its task.
If such argument passing were the only source of authority,
we would have already taken a huge step towards least authority.
If most programs only ran with the least authority they need to do their jobs,
most abuses would be minor.
I do not imagine a world with fewer exploitable bugs.
I imagine a world in which much less is at risk to most bugs.