Thursday, August 25, 2005

Capabilities in the real world

Capabilities are the permissions to do some specific task. I wrote this on the train this morning, I hope it helps illuminate the area around security I've been talking about recently.

Imagine a network, where there are billions of accounts. Some of the users have multiple accounts. But in this system, the accounts have no passwords. The social penalties for using the wrong account is the basis of security, along with the usernames secret. (Security through obscurity). Once someone has your username, the only option is to get a different username, and watch the activity more closely.

This IS the situation we all face in the world of Credit Cards, and Social Security. Two factor authentication is seen as THE solution to this problem. In this case, it's like finally allowing the usernames to have a password as well. The only problem is that many sloppy implementations will simply require you to give out your username AND password to make a purchase. If you are given the ability to change the password, and do it frequently enough, you decrease (but don't eliminate) the odds of misuse of the account.

A better system is to use Capabilities. For instance, when you buy something on line, what you really want to do is to grant the permission to extract the amount you specify from your bank. Some vendors are now experimenting with this idea, known as a "one time" credit card number. This is also called a Capability.

When you give a program a capability, it is only good for that use, until revoked, for that one process. No other process can utilize it if they manage to acquire it. If it becomes necessary to distribute the capability to another process, that simply requires another capability, and the OS will then issue appopropriate capabilities to the recieving task.

(Technically, all Capabilities include a GUID, and are locked to a specific process.)

Back to the Credit Card analogy, if you put a capability to withdraw $100 into a message, and someone managed to intercept it, it will be useless to them because it's locked into the recipients identity.

So, I've laid out a practical set of analogies and examples to help demystify capabilities. I've assumed a lot, but I've got a programming background, and I'd welcome discussion on the technical aspects of pulling all of this hand waving off, in a secure manner.

No comments: