<< Previous <<         [Session1 Index]            >> Next >>

Introduction To Capability Based Security

Why Should You Care?

We who use the Web are daily bombarded with warnings about viruses, computer breakins, and other ills that befall those foolish enough to communicate electronically. Reading the news media, one would conclude that all our computer systems are horrifically vulnerable to computer hackers (or, more correctly, to computer crackers, the kind of hacker that turns his skills to evil purposes). That much is indeed true; we are all so vulnerable today it is more a joke than a question. But reading the media would also lead one to conclude that, not only is that the way it is, but that is the way it must always be, forever.

It does not have to be this way. The technology for defeating computer crackers was actually developed decades ago, by men and women of great insight working with mainframe computers. A couple of computer operating systems, notably Multics and KeyKOS, were extremely resistant, indeed virtually invulnerable, to hacking and cracking. However, in the rush to the PC, the knowledge was forsaken.

The time has come to resurrect this knowledge, for we push the Web ever nearer the limits of what we can do without true security. Without true security, we can never make the Web the brilliant center for new kinds of financial transactions and contractual relationships that could make the world ever more free and make every individual ever more successful. Fraud will haunt us. The mega-software-corporations will advertise--and many will believe despite the facts--that buying tried and true (old and tired?) products from them, rather than innovative new products from unknown upstarts, is the safest way to compute. And governments everywhere will jump eagerly at the opportunities to legislate, regulate, control, and censor, all in the name of protecting us from the evil hackers of the world.

Herewith, then, is an Introduction to Capability Based Security, the simple yet powerful paradigm upon which the KeyKOS operating system was based. Capability security is today being resurrected in several places in several ways, notably in the form of the E programming language and the EROS operating system.

Love Bug Versus CapZilla

First, let me give a quick story/example of how the world can be different with capability-based security. An example "virus" that received much popular press, and caused some billions of dollars of lost productivity was the Love Bug virus. Love Bug has a modus operandi identical to the earlier Melissa virus (and the later Klez virus, and one aspect of the Nimbda virus, and SoBig, and others too numerous to count). Melissa (and the Love Bug et. al.) would come to you as an email message, read your address book, then send itself - using your email system, your email address, and your good reputation - to the people listed therein. You only had to make one easy-to-make mistake to cause this sequence: you had to run the executable file found as an attachment, sent (apparently) by someone you knew well and trusted fully.

Suppose you were running a capability-secure operation system, or that your mail system was written in a capability-secure programming language. In either case, each time an executable program in your email executed, each time it needed a capability, you the user would be asked whether to grant that capability or not. So Melissa, upon starting up, would first find itself required to ask you, "Can I read your address book?" Since you received the message from a trusted friend, perhaps you would say yes - neither Melissa nor anything else can hurt you just by reading the file. But this would be an unusual request from an email message, and should reasonably set you on guard.

Next, Melissa would have to ask you, "Can I have a direct connection to the Internet?" At this point only the most naive user would fail to realize that this email message, no matter how strong the claim that it came from a friend, is up to no good purpose. You would say "No!"

And that would be the end of all such viruses. No fuss, no muss. They would never rate a mention in the news.

Capabilities deeper than email

This same solution that could completely protect you from email viruses can also protect most of the parts of the underlying operating system, if applied ubiquitously. As the MSBlaster and Welchia viruses amply demonstrate, the granting of excessive authority is not limited to email attachments, or even user applications. Modules of code that are lumped together under the title "operating system" are just as grossly over-empowered, with even more catastrophic consequences. The RPC module in Win2k/XP that is breached by MSBlaster et al needs almost no authority to do its job. Had this RPC module been written with the capability confinement constraints described above for email, there would have been no breach, no virus, and no giant media story, no panic, and no loss of computing or financial resources. A couple of more recent links on this topic include The SkyNet Virus: Why it is Unstoppable, and How to Stop It, and Paradigm Regained: Abstraction Mechanisms for Access Control.

Someday, we will learn the lesson, and stop allowing this kind of foolishness. But apparently not yet today :-)

Traveling This Document

The first page of this presentation is the "main" page for Session 1, which can act as an index for traveling swiftly around the topics. You can read this discussion either by branching from the main page, coming back, and branching again, or by clicking the "next" button found on each page to get to the next topic in a linear fashion.

Session 2 is still a work in progress, and is not yet posted.

To begin Session 1, click here.

Glossary

Acknowledgements