Non-Delegatable Authorities in Capability Systems

Non-Delegatable Authorities in Capability Systems

Abstract

Unlike more conventional access control systems, such as Access Control Lists (ACLs), capability systems are inherently suited to controlling access in very large distributed systems. Capability systems scale easily and provide natural support for the Principle of Least Authority (POLA). However, many people have argued that the inability to prevent delegation (capability passing) in capability systems hinders security. We show that it is possible, in some capability systems, to distribute authority while ensuring it cannot be delegated. We present a technique, which we call the Non-Delegatable Authority (NDA), that prevents subjects from sharing the exact same authority that they have been given with anyone else. This is a feature present in other access control systems, such as those based on ACLs that has been thought impossible to implement in capability systems. Our implementation is presented within the context of the object-capability model, which accurately reflects many capability implementations, including the Annex capability system. We show how NDAs can be wielded as if they were ordinary capabilities without breaking the non-delegatability constraint. We also show how NDAs may be used to implement ACL-like constructs and how their basic pattern can be applied to build Multi-Level Security identity-based access controls within the Annex testbed.