My undergraduate thesis on a capability based security system for a data-centric operating system.
cap
+19
-16
+19
-16
3-cap.typ
+19
-16
3-cap.typ
···
6
6
// define a capability
7
7
Capabilities are the atomic unit of security in Twizzler, acting as tokens of
8
8
//NOTE: point forward towards security contexts?
9
-
protections granted to a process, allowing it to access some object in the ways
10
-
it describes. Colloquially a capability is defined as permissions and
11
-
a unique object to which those permissions apply, but in Twizzler we add
12
-
the signature component to allow the kernel to validate that the security policy was created by an authorized party.
9
+
protections that allow a process to access an object in the ways it describes. More
10
+
information about how capabilities interact with processes can be found in section 4.2.
11
+
Colloquially a capability is defined as permissions and a unique object to which
12
+
those permissions apply, but in Twizzler we add the signature component to allow
13
+
the kernel to validate that the security policy was created by an authorized
14
+
party.
13
15
14
16
Thus, a Capability is represented as follows:
15
17
···
20
22
accessor: ObjID, // Security context ID in which this capability resides.
21
23
prots: Protections, // Specific access rights this capability grants.
22
24
flags: CapFlags, // Cryptographic configuration for capability validation.
23
-
gates: Gates, // Additional constraints on when this capability can be used.
25
+
gates: Gates, // Constraints on where permisions are applied.
24
26
revocation: Revoc, // Specifies when this capability is invalid, i.e. expiration.
25
27
sig: Signature, // The signature.
26
28
}
···
30
32
== Signature
31
33
The signature is what determines the validity of the capability. The
32
34
only possible signer of some capability is who ever has permissions to read the
33
-
signing key object, or the kernel itself. The signature is built up of a array with
34
-
a maximum length and a enum representing what type of cryptographic scheme
35
-
was used to create it; quite similar to the keys mentioned previously.
35
+
signing key object, or the kernel itself. The signature is built up of an array with
36
+
a maximum length and an enum representing what type of cryptographic scheme
37
+
was used to create it; quite similar to the keys mentioned in section 2.
36
38
The fields of the capability are serialized and hashed to form the message that gets signed,
37
39
and then stored in the signature field. Currently we support Blake3 and
38
40
Sha256 as hashing algorithms.
···
51
53
// something to think about
52
54
53
55
== Flags
54
-
Currently, flags in capabilities are used to specify which hashing algorithm to use to form a message to be signed. We allow for multiple algorithms to be used to
55
-
allow for backward capability when newer, more efficient hashing algorithms are created.
56
+
Currently, flags in capabilities are used to specify which hashing algorithm was
57
+
used
58
+
to form the message that was signed. We allow multiple algorithms to be used
59
+
to allow for backward capability when newer, more efficient hashing algorithms
60
+
are created.
56
61
57
-
The flags inside a capability is a bitmask providing information about distinct feautures
58
-
of that capability. Currently we only use them to mark what hashing algorithm was used to
59
-
form the message for the signature, but there's plenty of bits left to use.
60
-
We hope for future work to develop more expressive ways of using capabilities, i.e. Decentralized Information Flow Control, as specified in
61
-
6.1.
62
-
62
+
The flags inside a capability is a bitmask providing information about distinct
63
+
feautures of that capability. Currently they only convey the hashing algoritmn
64
+
but there's plenty of bits left to use. We hope for future work to develop more
65
+
expressive ways of using capabilities through the flags.
63
66
// maybe worth discussing delegations if only to describe how they could be
64
67
// extended from capabilities (as a future work ofc)
65
68
//
thesis.pdf
thesis.pdf
This is a binary file and will not be displayed.