CapTP: Distributed Capability Security
Mark Miller, Marc Stiegler
CTO & COO, Combex, Inc.
www.erights.org
www.combex.com
CapTP: Capability Transport Protocol
Object
Capability
Message
Vat
Process /
Machine
●
Distributed Object-Capability Security
●
Communicating Event Loops
●
Asynchronous Pipelined Promises
Overview of CapTP
●
Distributed Capability Security
------------- as time permits: --------------
●
Communicating event loops
Deadlock-free, non-blocking concurrency control
●
Asynchronous Pipelined Promises
Massive latency compensation
“Whiteboard” animation
●
Remaining features
Partition & recovery support, Distr equality
Adversarial distr GC, Partially ordered delivery
Distributed Capability Overview
●
What went wrong?
●
What are object-capabilities?
●
What aren't they?
●
Why capabilities?
●
What's been set right?
●
Distributed caps, how?
●
Patterns and examples
What Went Wrong?
●
●
Walls + holes are no
architecture
ACLs can't do POLA
The cashier & the
wallet
●
Layering Failure:
Pet Store
Java
Solaris
Pet Store
.NET
XP
What Are Object-Capabilities?
●
By Introduction
– ref to Carol
– ref to Bob
– decides to share
Alice says:
bob.foo(carol)
●
●
●
By Parenthood
By Construction
By Initial Conditions
Absolute Encapsulation
● Only source of authority
●
What Aren't They?
Capabilities as Rows
Capabilities as Keys
“Capability Myths Demolished”
Equivalence? Revocability? Confinement?
http://zesty.ca/capmyths/usenix.pdf
Capability Myths Demolished
Models mostly missed virtues of actual systems
Capabilities == O-O Security
●
Capability discipline -> good software engineering
●
Good software engineering -> capability discipline
●
Modularity -> omit needless dependencies
Required trust is a form of dependency
Information hiding -> “need to know”
POLA -> “need to do”
Security is the extreme of modularity
●
Security Abstraction Mechanisms
●
Patterns of Cooperation Without Vulnerability
What's Been Set Right?
●
Designation + Authority is an architecture
Avoids “Confused Deputy” problems
●
POLA emerges naturally
Acts of designation also convey least authority
●
Direct Correspondence
Reify customer's “rights” as objects
Business logic built as security abstractions
“Capability-based Financial Instruments” at FC2000
Distributed Caps, How?
●
Solving both impostor problems
●
Fully decentralized designation and authorization
●
Mobility: (Fingerprint + hint) as network address
Distributed Cap Pattern:
The Revocable Facet
def makeRevoker(var precious) :any {
def r {
to pass(verb, args) :any {
E.send(precious, verb, args)
}
to revoke() { precious := null }
}
def f {
match [verb, args] {
r.pass(verb, args)
}
}
[f, r]
}
“E in a Walnut” www.skyhunter.com/marcs/ewalnut.html
Distributed Cap Example: Money
def makeMint(name) :any {
def [sealer, unsealer] := makeBrandPair(name)
def mint {
to makePurse(var balance :(integer >= 0)) :any {
def decr(amount :(0..balance)) {
balance -= amount
}
def purse {
to getBalance() :any { balance }
to sprout()
:any { mint.makePurse(0) }
to getDecr() :any { sealer.seal(decr) }
to deposit(amount :int, src) {
unsealer.unseal(src.getDecr())(amount)
balance += amount
}
}
}
}
}
Status & Experiences
●
CapTP implemented for Java and E,
in progress for Squeak
●
Switching to WOS serialization standard
●
Capability-secure distr desktop for DARPA
●
Decentralized graphical social virtual reality
Extensible massively multiplayer game
●
Global high-security enterprise infrastructure
●
Tutorial: 5 page capability-secure chat
Overview of CapTP
✔
Distributed Capability Security
------------- as time permits: --------------
●
Communicating event loops
Deadlock-free, non-blocking concurrency control
●
Asynchronous Pipelined Promises
Massive latency compensation
“Whiteboard” animation
●
Remaining features
Partition & recovery support, Distr equality
Adversarial distr GC, Partially ordered delivery
Why no Threads & Locks?
Scylla and Charybdis
Communicating Event Loops
Deadlock-free, non-blocking concurrency control
Known near reference
“Immediate” call-return:
val := bob.foo(carol)
Sequential stacking
no synchronized blocks
Happens now
Partition impossible
Possibly remote reference
“Eventual” one-way send:
promise := bob <- foo(carol)
Event-loop queuing
no synchronized blocks
Happens later, and in order ...
… unless partitioned
Distributed Queuing
Asynchronous Pipelined Promises
Massive latency compensation
t3 := (x <- a()) <- c(y <- b())
Expands to...
t1 := x <- a()
t2 := y <- b()
t3 := t1 <- c(t2)
Message always moves
towards arrowhead.
Remaining CapTP Features
Stay tuned to www.erights.org for more on these
●
Partition & recovery support
Live vs. Sturdy references
●
Adversarial distributed acyclic GC
●
Distributed equality – tricky to define
The Grant Matcher Puzzle
●
Partially ordered message delivery
When can the tortoise pass the hare?
Forks and joins in the message-order graph
●
Distributed causality-flow debugging in progress
Bibliography
●
Capability Myths Demolished zesty.ca/capmyths/usenix.pdf
●
E in a Walnut www.skyhunter.com/marcs/ewalnut.html
●
Capability-based Financial Instruments (the “Ode”)
www.erights.org/elib/capability/ode/index.html
●
Intro to Capability-based Security
www.skyhunter.com/marcs/capabilityIntro/index.html
●
Statements of Consensus
www.erights.org/elib/capability/consensus-9feb01.html
●
The CapTP Protocol (including its VatTP substrate)
www.erights.org/elib/distrib/vattp/index.html
www.erights.org/elib/distrib/captp/index.html
●
WOMP & WOS www.waterken.com/dev/Web/Message/
●
Web sites: www.erights.org www.combex.com www.eros-os.org
www.cap-lore.com/CapTheory www.capidl.org www.waterken.com