P. Karger. Improving Security and Performance for Capability Systems. Technical Report 149, University of Cambridge Computer Laboratory, 1988. (Ph. D. thesis.)  Home/Search   Document Not in Database   Summary   Related Articles   Check

....packet processing, nor do they appear to have been used to filter dynamically tagged messages. Use of registers to speed interprocess communication was heavily used in the V Distributed System [4] and appears to have been independently proposed by Karger [16] in connection with the SCAP system [17, 15]. The SCAP design gains particular advantage if the trust relationship between caller and callee is known to both parties. Liedtke et al. 22] have considered selected denial of service attacks against the L4 microkernel and its servers, including several of the problems identified here. Their ....

P. Karger. Improving Security and Performance for Capability Systems. PhD thesis, University of Cambridge, Oct. 1988. Technical Report No. 149.

....is typically not provided by layered RPC facilities. These limitations of layered RPC facilities make building a distributed real time RPC facility problematic and inefficient. Recently published work suggests that high performance RPC is best obtained with RPC specific kernel assistance [60][61][62] 63] Multi server operating systems have many of the characteristics of distributed applications even if all the servers reside on a single node. The client process communicates with the OS server(s) via IPC. In a standard implementation of UNIX, when an application invokes a system service ....

Karger, P.A., Improving Security and Performance for Capability Systems, Technical Report No.149, Computer Laboratory, University of Cambridge, October 1988.

....enforcement by complicating: 1) the assignment of permissions to components because they can be run in more than one context; and (2) the authorization of object accesses because all servers cannot necessarily be trusted to enforce system security policy. As has been known for quite some time [24, 15, 11], an effective security policy must be able to control all accesses to all objects exported by components (and protect itself from tampering [1] Unfortunately, early component based systems, such as Mach [18] Chorus [19] and Spring [16] only control access to component communication, not ....

....Authorize all object accesses ffl Limit capabilities delegated to components ffl Contain a small number of unique permission management mechanisms ffl Protect itself from compromise Other notable systems have goals similar to these. Early capability based systems, such as Hydra [24] and SCAP [11], endeavor to provide complete mediation of object accesses. Such systems were designed to achieve goals similar to ours, but the security requirements of the practical applications of the time did not justify their flexibility. The primary differences between the systems that these architectures ....

P. A. Karger. Improving Security and Performance for Capability Systems. PhD thesis, University of Cambridge, 1988.

.... datastructure that contains a unique object identifier and access rights [Levy84] Historically, single processor or tightly coupled multiprocessor capability systems have either used hardware support to prevent client modifications of capabilities or depended on trusted operating system kernels [Wilkes79, Wulf81, Levy84, Karger88]. In these systems, the capabilities were used as an access control resource because capabilities can be quickly tested for applicability to a given request. In a distributed system, the untrusted network is introduced between communicating parties, so the problem becomes more complex. Some ....

Karger, P. A., Improving Security and Performance for Capability Systems, University of Cambridge Computer Laboratory Technical Report No. 149, October 1988.

....and Karger [8] have argued that unmodi ed capability systems cannot enforce even basic mandatory access controls such as the property. Both have proposed solutions in the form of hybrid protection architectures. Karger has also argued that unmodi ed capability systems cannot enforce con nement [7]. Given that EROS is a pure capability system, and that its security design rests on its ability to enforce con nement, a rigorous veri cation of the EROS con nement mechanism is necessary. As described by Lampson [9] the con nement policy has two requirements. Entities inside a compartment may ....

.... their conclusion is correct, capability systems do provide sucient strength to construct mandatory policies at a higher level of abstraction with reasonable performance, as has been done in KeySafe [13] Karger has also shown that unmodi ed capability systems cannot enforce the con nement policy [7]. The apparent discrepancy results from di erences in term de nition. Karger s con nement policy is a mandatory access control policy: this piece of information must not be disclosed to that set of unauthorized parties. That is, it is a policy concerning the ow of information to subjects. ....

P. Karger. Improving Security and Performance for Capability Systems. PhD thesis, University of Cambridge, Oct. 1988. Technical Report No. 149.

....Finally, capability systems have difficulty with traceability and selective revocation: determining who has what access and removing a particular user s access to an object. To solve this problem, hybrid designs using both capabilities and access control lists have been proposed in [4] and [25]. In a pure capability system like EROS, this issue must be addressed by the reference monitor. 2.3 Mandatory access controls EROS provides a primitive mechanism for revoking access to objects. Both objects and their capabilities have a version number. If the version numbers do not match, the ....

P. Karger. Improving Security and Performance for Capability Systems. PhD thesis, University of Cambridge, Oct. 1988. Technical Report No. 149.

....over his daily withdrawal limit. The decision to allow or deny the request must be made from within the application and is dependent on its state. It is clear that combining these two mechanisms can lead to a better access control system and there have been earlier work along these lines such as [9] and [10] Let us now consider a variation on the access mechanism. Consider a security agent that acts in some sense like a capability in that it contains the privileges that can be used to perform certain actions at the target. But it is different from a traditional capability in that it may ....

P.A.Karger, "Improving Security and Performance for Capability Systems", PhD Thesis, Cambridge University, 1988

....and can propagate in many ways without detection. Another example, the technique as the unconfined right in Hydra, which is meant to disable a capability propagation, has no effect. Some soft protection measures have to be implemented. An effort was made in the SCAP design by Karger and Herbert [6,7] to support lattice security and access traceability. They took an approach where subjects can pass their capabilities freely as usual, but when a capability is used to request an access, the security kernel must check whether the access should be granted according to the security policy enforced. ....

....done by trusted hardware and must be invisible to any suspicious users or system components, in order to realize the principle of complete mediation identifying the source of every request is necessary. The security policy enforced has to be checked as well. This is demonstrated in the SCAP design [6,7]. Moreover, the approach in KeyKOS to deal with connections rather than end points may increase the complexity and difficulty to design the system and to certify that the system is secure. The cost may be too high to adopt this approach to the open system architecture. In an open system ....

P.A. Karger, Improving Security and Performance for Capability Systems, Ph.D. thesis, also available as Technical Report No.149, University of Cambridge Computer Laboratory, Oct., 1988.

....of Amoeba [15] suffer from the confinement problem. Several restrictions and variations of the capability model have been proposed. For example, Gong suggests adding identities to capabilities [7] Bacon et al. suggest restricting their lifetime [1] Karger s dissertation describes several others [9]. The ideas in our use of capabilities can be traced back through a vast literature. There has also been substantial work in the area of security and network communication systems (e.g. 25, 14, 21] However, to our knowledge, there is at present no object oriented network communication system ....

P. A. Karger. Improving Security and Performance for Capability Systems. PhD thesis, Cambridge University, Oct. 1988.

....to secure shared access to networkattached peripherals. Capabilities are a well established concept [Dennis66] for regulating access to resources. In the past, many systems have used capability systems that rely on hardware support or trusted operating system kernels to protect system integrity [Karger88, Wilkes79, Wulf74]. Within NASD, we do not make assumptions about the integrity of the client which maintains capabilities. Therefore, we utilize cryptographic techniques similar to ICAP [Gong89] and Amoeba [Tanenbaum86] In these systems, the act of issuing a capability and validating a capability must have access ....

Karger, P.A., "Improving Security and Performance for Capability Systems", University of Cambridge Computer Laboratory Technical Report No. 149, Oct. 1988.

....server is not available. However, an unmodified capability system cannot solve the confinement problem, the problem of confining unauthorized information flow [6] It seems clear that merging the two approaches can yield better systems than using either one in isolation. Karger and Herbert [4,5] designed and implemented an augmented capability architecture to support lattice security and traceability of access. The idea was to use capability based protection at the lowest level for implementing confined domains, in support of access control lists for expressing security policies outside ....

....security policies, classic systems have to be modified to control capability propagations. Some kind of check against security policy has to be done somewhere, if not everywhere, in the lifetime of the capabilities. This is reflected in a taxonomy for capability systems [3] Karger and Herbert [4,5] took an approach where subjects can pass their capabilities freely as usual, but when a capability is used to request an access, the security kernel must check whether the access should be granted according to the security policy. In other words, holding a capability is no longer both necessary ....

[Article contains additional citation context not shown here]

P.A. Karger, "Improving Security and Performance for Capability Systems", Ph.D. thesis, also available as Technical Report No.149, University of Cambridge Computer Laboratory, October, 1988.

No context found.

P. Karger. Improving Security and Performance for Capability Systems. Technical Report 149, University of Cambridge Computer Laboratory, 1988. (Ph. D. thesis.)

No context found.

P.A. Karger. Improving Security and Performance for Capability Systems. PhD thesis, Computer Laboratory, University of Cambridge, Cambridge, England, October 1988. Technical Report No. 149.

No context found.

P.A. Karger, "Improving Security and Performance for Capability Systems", University of Cambridge Computer Laboratory, October, 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC