Design patterns: elements of reusable object-oriented software
Design patterns: elements of reusable object-oriented software
Extensible security architectures for Java
Proceedings of the sixteenth ACM symposium on Operating systems principles
EROS: a fast capability system
Proceedings of the seventeenth ACM symposium on Operating systems principles
A note on the confinement problem
Communications of the ACM
Programming semantics for multiprogrammed computations
Communications of the ACM
Capability-Based Financial Instruments
FC '00 Proceedings of the 4th International Conference on Financial Cryptography
ACM SIGOPS Operating Systems Review
Verifying the EROS Confinement Mechanism
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A Security Kernel Based on the Lambda-Calculus
A Security Kernel Based on the Lambda-Calculus
Robust composition: towards a unified approach to access control and concurrency control
Robust composition: towards a unified approach to access control and concurrency control
A practical formal model for safety analysis in capability-based systems
TGC'05 Proceedings of the 1st international conference on Trustworthy global computing
The structure of authority: why security is not a separable concern
MOZ'04 Proceedings of the Second international conference on Multiparadigm Programming in Mozart/Oz
A Knowledge Based Formal Language for Securing Information Systems
KES '09 Proceedings of the 13th International Conference on Knowledge-Based and Intelligent Information and Engineering Systems: Part I
BottleCap: a credential manager for capability systems
Proceedings of the seventh ACM workshop on Scalable trusted computing
A modal logic for information system security
AISC '11 Proceedings of the Ninth Australasian Information Security Conference - Volume 116
| Hi-index | 0.02 |
We present a novel technique, known as the non-delegatable authority (NDA), for distributing authority to unconfined subjects in capability systems that prevents them from sharing the exact same authority that they have been given with anyone else. This feature is present in common systems based on access control lists (ACLs) in which one may hand out a permission without handing out the associated “grant” right, but has been thought to be impossible to express in capability systems until now. Consequently, we demonstrate that NDAs may be used to express ACL-like constructs and their basic pattern is directly applicable for implementing multi-level security and identity-based access controls in the object-capability model. The extra complexity introduced by our NDA implementation can be hidden behind constructs that allow NDAs to be wielded as if they were ordinary capabilities to the target resource. These constructs cannot break the non-delegatability constraint and allow NDAs to be used effectively, although with less efficiency than delegatable authorities.