Architecture Choices for Security - Architecture Choices for Security - 20072007

Is Functionality with Security an option?Is Functionality with Security an option?

Kenneth Hamer-HodgesKenneth Hamer-Hodgeshttp://www.SIPantic.net/SIPantic

04/18/23 2

AgendaAgenda

• The Problems with Security Practice TodayThe Problems with Security Practice Today− The Unacceptable ChoiceThe Unacceptable Choice

• An Alternative ArchitectureAn Alternative Architecture− Implementing Need to KnowImplementing Need to Know

• DemonstrationsDemonstrations−How to Dine with the DevilHow to Dine with the Devil−No choice between safety or functionalityNo choice between safety or functionality

• Some Thoughts on the FutureSome Thoughts on the Future−How soon can we start?How soon can we start?

Inviting “Inviting “Satan to Dinner””

04/18/23 3

Computer Security is Broken Computer Security is Broken

• XP, Vista, Mac, SELinux, RedHat…. XP, Vista, Mac, SELinux, RedHat…. − Access Control List ArchitecturesAccess Control List Architectures

• Consider Consider −Web Browsers, Compound DocumentsWeb Browsers, Compound Documents

• Each plug-in needs specific authoritiesEach plug-in needs specific authorities• But NOT authority outside its contained areasBut NOT authority outside its contained areas

−None need the authority None need the authority • To launch Trojan horsesTo launch Trojan horses• Read and sell confidential data Read and sell confidential data

• A Dark Side is also at workA Dark Side is also at work

04/18/23 4

Ambient Authority Problem Ambient Authority Problem

• ACL Grants AuthorityACL Grants Authority− Desktop programs can do Desktop programs can do

everything a User can doeverything a User can do− Even bad thingsEven bad things

• Some Data PointsSome Data Points− Monthly security patchesMonthly security patches− By designBy design Browsers run Browsers run

unknown codeunknown code− Millions of lines of OS Millions of lines of OS

codecode• Thousand of OS defectsThousand of OS defects

− 22//33rdsrds of PCs infected in of PCs infected in some waysome way

• http://www.mg.co.za/articlePage.aspx?articleid=299541&area=/insight/insight_tech/

•http://news.com.com/Expert+IT+industry+has+failed+in+desktop+security/2100-1002_3-6185295.html

04/18/23 5

Computer Security 1965 - 2007Computer Security 1965 - 2007

• History from Multics to Unix, to History from Multics to Unix, to Windows to Mac OS …Windows to Mac OS …− No graded securityNo graded security− Still ‘privileged modes’Still ‘privileged modes’− Once ‘Hacked’ everything is Once ‘Hacked’ everything is

threatenedthreatened

• Everything depends upon Everything depends upon − Firewalls and Anti-VirusFirewalls and Anti-Virus− Access Control ListsAccess Control Lists− Pop-up requests Pop-up requests − CertificatesCertificates− Expected to protect but actually Expected to protect but actually

enabling threatsenabling threatsThe Evolving Malware Threat:Guarding Against Criminal MalwareRoger A. Grimes, InfoWorld security columnist/Microsoft Sr. Computer Consultant - June 26, 2007

04/18/23 6

Firewalls and Anti-VirusFirewalls and Anti-Virus

• Perimeter security systems Perimeter security systems − May be applied to one or more May be applied to one or more

computers computers

• Cannot discriminate internal trustCannot discriminate internal trust− Between applicationsBetween applications

• Once Infections breach the Once Infections breach the wallwall− All the assets within are All the assets within are

damaged goodsdamaged goods

• Only block expected attacksOnly block expected attacks− No “Zero-Day” securityNo “Zero-Day” security− Detection rate ~80%

04/18/23 7

Access Control ListsAccess Control Lists

• Identity Based Access ControlIdentity Based Access Control− The abstraction of ID Cards The abstraction of ID Cards

• LimitationsLimitations− No Trust Discrimination by domain No Trust Discrimination by domain − Hard to Change & Role ExplosionHard to Change & Role Explosion− Open to embedded viruses Open to embedded viruses

• Why not?Why not?• Run application in private spaceRun application in private space− Polaris demonstration (Later)Polaris demonstration (Later)

• Far too complex for typical users Far too complex for typical users

Security Assertion Markup Language (SAML)At the heart of most SAML assertions is asubject (a principal – an entity that can beauthenticated – within the context of a particular security domain) about which something is being asserted.

04/18/23 8

The Pop UpThe Pop Up

• Stop and give me your Stop and give me your valuables valuables − Give up and Punt SecurityGive up and Punt Security− Let the User take the HitLet the User take the Hit

• Antithesis of UsabilityAntithesis of Usability− Abdication of security Abdication of security

responsibilityresponsibility

• Uniformed choiceUniformed choice− Just Say No - orJust Say No - or− Sooner or Later you Sooner or Later you

get infectedget infected

04/18/23 9

Certificates Certificates

• Authenticates the authors Authenticates the authors − A false sense of security A false sense of security

• Even Satan can signEven Satan can sign− Embed a Virus in a DLLEmbed a Virus in a DLL− Proof it came from Satan is Proof it came from Satan is

not proof that it is safe not proof that it is safe

• Exploit bugs in Certified Exploit bugs in Certified codecode− Load a poorly written but Load a poorly written but

signed driver then exploit it!signed driver then exploit it!

• The result is the sameThe result is the same− Regardless of who, how & Regardless of who, how &

why?why?

Should you run downloaded software .. A digital signature identifies the publisher of the software and verifies that the software has not been tampered with since it was signed. [BUT WITH OR] Without a valid digital signature, you have no way to verify that the software is what it claims to be.

04/18/23 10

Blue Pill (Joanna Rutkowska)Blue Pill (Joanna Rutkowska)

• LinksLinks− Subverting Vista Kernel For Fu

n And Profit, , • J Rutkowska, Black Hat USA J Rutkowska, Black Hat USA

2006 2006 − Hardware Virtualization Based

rootkits, , • Dino Dai Zovi, Black Hat USA Dino Dai Zovi, Black Hat USA

2006 2006 − Blue Pill Detection, ,

• Edgar Barbosa, SyScan 2007 Edgar Barbosa, SyScan 2007 − Compatibility is Not Transpare

ncy: VMM Detection Myths and Realities, , • Tal Garfinkel et al., HotOS 2007 Tal Garfinkel et al., HotOS 2007

− Blue Pill Detection In Two Easy Steps, , • Keith Adams Keith Adams

− IsGameOver.ppt • Rutkowska & Tereshkin, Black Rutkowska & Tereshkin, Black

Hat USA 2007 Hat USA 2007

04/18/23 11

The Result The Result Some Very Powerful Programs Some Very Powerful Programs

• Any program (including all of these) can Any program (including all of these) can − Watch what I doWatch what I do− Access or delete my files and Access or delete my files and − Search/use my email Search/use my email

04/18/23 12

The Unacceptable Choice!The Unacceptable Choice!

• Either FunctionalityEither Functionality− Run as AdministratorRun as Administrator− Exposure all the timeExposure all the time− Depend upon Firewall & Depend upon Firewall &

AVAV− Open items at your riskOpen items at your risk− PC grinds to a HaltPC grinds to a Halt

• Or SecurityOr Security− Multiple Login and Multiple Login and

PasswordsPasswords− Dysfunctional BrowsingDysfunctional Browsing− Deny Pop-UpsDeny Pop-Ups− Ignore CertificatesIgnore Certificates− Work still Grinds to a HaltWork still Grinds to a Halt

04/18/23 13

Site Password ToolSite Password Tool

• You have accounts at many sitesYou have accounts at many sites−One password for all sites or different for each?One password for all sites or different for each?

• Site PasswordSite Password− A different password for each site A different password for each site

• A hard password in the first fieldA hard password in the first field• An easy name for the site An easy name for the site • The tool computes a complex password for that siteThe tool computes a complex password for that site

• Thanks to Alan Karp et al at HP LabsThanks to Alan Karp et al at HP Labs• Technical Report• Python version• Windows executable• The source for the Windows

04/18/23 14

Check Point Summary Check Point Summary

• Well behaved programs are “Tooth Fairies”Well behaved programs are “Tooth Fairies”− They don't existThey don't exist

• Few need authority toFew need authority to− Access all filesAccess all files− Install Trojan horses andInstall Trojan horses and

• Should never be given such authorityShould never be given such authority− Allows only the authorities neededAllows only the authorities needed

• Write access to one or a few needed filesWrite access to one or a few needed files• Render impotent Trojan horse or VirusRender impotent Trojan horse or Virus

04/18/23 15

• Principle Of Least Privilege/AuthorityPrinciple Of Least Privilege/Authority• Depend Upon Capabilities Depend Upon Capabilities − The un-forgeable, transferable right to The un-forgeable, transferable right to

communicate with an objectcommunicate with an object

• No Privileged ModesNo Privileged Modes−Modularity is uniformly clear and enforcedModularity is uniformly clear and enforced

• Dynamic Messaging with Run-time GuardsDynamic Messaging with Run-time Guards−Deadlock Avoidance since binding can be cut by Deadlock Avoidance since binding can be cut by

the systemthe system

The Need to Know RuleThe Need to Know Rule

04/18/23 16

MAC and JSMMAC and JSM

• Mandatory Access Control Mandatory Access Control −Oblivious ComplianceOblivious Compliance

• A right cannot be transferred if the transfer A right cannot be transferred if the transfer violates some external policyviolates some external policy

− Centralized Policy ControlCentralized Policy Control• 20th century “imperial ACL-think” 20th century “imperial ACL-think”

• Java Security ManagerJava Security Manager− Closest to being usefulClosest to being useful

• Some powerful authorities selectively managedSome powerful authorities selectively managed• Can place modules inside trust realmsCan place modules inside trust realms

−With a few lines of codeWith a few lines of code• Control the browser's user interfaceControl the browser's user interface− Spoof the user (again and again)Spoof the user (again and again)

04/18/23 17

A Change In ThinkingA Change In Thinking

• Stop asking Stop asking “Who are you?”“Who are you?”− Session based by Login rightsSession based by Login rights

• Start asking Start asking “Is this authorized?”“Is this authorized?”− Action related to Interface (Facets)Action related to Interface (Facets)

• Build Trust RelationshipsBuild Trust Relationships− Capabilities are Interfaces Protected by ContractsCapabilities are Interfaces Protected by Contracts− A facet can access a subset of the authorities of a powerful A facet can access a subset of the authorities of a powerful

object object − Base Policy controls only on NeedsBase Policy controls only on Needs− Get more Functionality with better SecurityGet more Functionality with better Security

http://wiki.squeak.org/squeak/3770

04/18/23 18

Plessey System 250C1972

Capability SecurityCapability Security

• Defense-in-depthDefense-in-depth− Locks and Keys in the abstractLocks and Keys in the abstract−Natural and intuitive for POLANatural and intuitive for POLA−Works in Networks for Distributed SystemsWorks in Networks for Distributed Systems− Proven commercially [Plessey Multiprocessor]Proven commercially [Plessey Multiprocessor]

• With the single act of Designation With the single act of Designation − A mouse Click or Pass by ReferenceA mouse Click or Pass by Reference− Convey the (needed) object(s)Convey the (needed) object(s)−Grant the limited (necessary) authorityGrant the limited (necessary) authority

• Revocation is in Real TimeRevocation is in Real Time− By changing the lock, cutting the linkBy changing the lock, cutting the link− Revokers only hold power to revoke an authorityRevokers only hold power to revoke an authority

04/18/23 19

Capability PP-250 & Capability PP-250 & EE

• E Lang - Networked Capability to <Counter ++1>− captp://

*4wv2qgnc6yjnl54wccr2qbmjse6po25o@192.168.2.34:2188/2xaukqqehpuktvjmhaox22rfgfyqwgys

04/18/23 20

Further Research LinksFurther Research Links

• Early PublicationsEarly Publications− Jack B. Dennis, Earl C. Van Horn, Jack B. Dennis, Earl C. Van Horn, Programming Semantics For Programming Semantics For

Multiprogrammed Computations (1966)Multiprogrammed Computations (1966)  − Hamer-Hodges,

"A Fault-Tolerant Multiprocessor Design for Real-time Control" Computer Design, Dec. 1973, pp. 75-81.

• Easy to Find LinksEasy to Find Links− Stiegler, Stiegler, “E in a Walnut,” “E in a Walnut,”

http://www.skyhunter.com/marcs/ewalnut.html − Mark Miller, Chip Morningstar, Bill Frantz, Mark Miller, Chip Morningstar, Bill Frantz, “Capability-based “Capability-based

Financial Instruments,” Proceedings of Financial Cryptography Financial Instruments,” Proceedings of Financial Cryptography 2000,2000, http://www.erights.org/elib/capability/ode/index.htmlhttp://www.erights.org/elib/capability/ode/index.html

− Jonathan Rees, Jonathan Rees, "A Security Kernel Based on the Lambda-"A Security Kernel Based on the Lambda-Calculus", (MIT, Cambridge, MA, 1996) MIT AI Memo No. 1564. Calculus", (MIT, Cambridge, MA, 1996) MIT AI Memo No. 1564. http://mumble.net/jar/pubs/secureos/.http://mumble.net/jar/pubs/secureos/.

− J. S. Shapiro, S. Weber; J. S. Shapiro, S. Weber; “Verifying the EROS Confinement “Verifying the EROS Confinement Mechanism,” Proceedings of the 2000 IEEE Symposium on Mechanism,” Proceedings of the 2000 IEEE Symposium on Security and Privacy. Security and Privacy. http://www.eros-os.org/papers/oakland2000.ps http://www.eros-os.org/papers/oakland2000.ps

04/18/23 21

Functionality from Security!Functionality from Security!

• IBAC relates to roles IBAC relates to roles − Users subscribe to services Users subscribe to services

• Needs to know all users Needs to know all users and what each can doand what each can do

• Must be updated every Must be updated every time a user changestime a user changes

− Scalability is a problemScalability is a problem• Too Many clientsToo Many clients

− Password Problems!Password Problems!− Client changesClient changes become become

Server problemsServer problems!!

• ABAC relates to contractsABAC relates to contracts− Service sells capabilitiesService sells capabilities

• As access to a contractAs access to a contract• Clients manage themClients manage them

− Distribute by rolesDistribute by roles• A set of capabilities for each A set of capabilities for each

contractcontract− Includes a way to revokeIncludes a way to revoke− No Password needed! No Password needed! − Client Changes are Client Changes are

correctly the Client correctly the Client problem!problem!

Authorization-Based Access Control for the Services OrientedArchitecture Alan H. Karp, HP Laboratories Palo Alto

04/18/23 22

CapBox DemosCapBox Demos

• PolarisPolaris−Give each program only the permissions it needs Give each program only the permissions it needs − Polaris changes the way programs are launchedPolaris changes the way programs are launched− Invite Satan to dinnerInvite Satan to dinner

• E LanguageE Language− A quick peek at distributed objectsA quick peek at distributed objects

• CapDesk, PowerBox and the Darpa Browser CapDesk, PowerBox and the Darpa Browser − Capability based DeskTop Application LaunchingCapability based DeskTop Application Launching− Rendering is capability confined Rendering is capability confined

• Including the field to display the URL Including the field to display the URL

04/18/23 23

Polaris - Beta 1.0 Polaris - Beta 1.0

• Principle of Least Authority for Real Internet SecurityPrinciple of Least Authority for Real Internet Security − Polaris – HP LabsPolaris – HP Labs

• Alan Karp et alAlan Karp et al

− Protects from virusesProtects from viruses• From opening email attachments From opening email attachments • Macro viruses contained Macro viruses contained

in files you use in files you use • Trial Programs you launchTrial Programs you launch• Scripts on web pages you Scripts on web pages you

visitvisit• Email images you view Email images you view

http://web.hpl.hp.com/personal/akarp

04/18/23 24

Polaris ConfinementPolaris Confinement

• By adhering to POLABy adhering to POLA− Polaris reduces Polaris reduces

vulnerability vulnerability

• Any Application can beAny Application can be− Polarized as a PetPolarized as a Pet− Each Pet starts with Each Pet starts with

• An almost empty An almost empty − DesktopDesktop− My DocumentsMy Documents

• A Set Up endowment A Set Up endowment • The File that was clickedThe File that was clicked

− A virus in this programA virus in this program• Is ConfinedIs Confined• Can do limited damage Can do limited damage

A program launch - Run-As A program launch - Run-As “POLAxxxyyyzzz”“POLAxxxyyyzzz”

With minimum authorities With minimum authorities Only those needed to runOnly those needed to run

04/18/23 25

Satan’s Excel Macro DemoSatan’s Excel Macro Demo

• Run powercmd if not already runningRun powercmd if not already running• OpenSafeOpenSafe or or Double clickDouble click on files with xls and on files with xls and − This keeps a copy (for POLAexcel) and the original This keeps a copy (for POLAexcel) and the original

synchronizedsynchronized− Powercmd then starts Excel running as if it were launched Powercmd then starts Excel running as if it were launched

by the user by the user polass7sAaJDp708polass7sAaJDp708• To read their libraries, fonts, etc. To read their libraries, fonts, etc. − Pet accounts have an installation endowmentPet accounts have an installation endowment− The permissions they get every time they startThe permissions they get every time they start− The endowment includes permission to READ The endowment includes permission to READ

• c:\Program Files and c:\Windows directoriesc:\Program Files and c:\Windows directories• Read and WRITE permission to the PET foldersRead and WRITE permission to the PET folders

• Malicious code even from Satan himself can onlyMalicious code even from Satan himself can only− Read the files in its installation endowmentRead the files in its installation endowment− Read names of directory and files (XP feature)Read names of directory and files (XP feature)− Write to the files opened with the PetWrite to the files opened with the Pet

04/18/23 26

POLA IE, Email and OutlookPOLA IE, Email and Outlook

• OutlookOutlook− PolarisLaunchPolarisLaunch button button − Also on each emailAlso on each email

• For the type of attachmentFor the type of attachment− Polaris will use that Pet orPolaris will use that Pet or− Launch in an IceBoxLaunch in an IceBox

• Typically a browser no address Typically a browser no address bar to exploitbar to exploit

• Not all work this wayNot all work this way

• Otherwise Otherwise − Save to disk, open from there Save to disk, open from there

• First Virus scan the fileFirst Virus scan the file− Note Note

• Won't protect against Zero-Won't protect against Zero-Day or unrecognized virusDay or unrecognized virus

04/18/23 27

Polaris SummaryPolaris Summary

• More functionality More functionality − Safely ignore macrosSafely ignore macros

• More UseableMore Useable− Not bothered with Not bothered with

security dialog boxessecurity dialog boxes

• More securityMore security− Viruses do not hurtViruses do not hurt

• All because All because − POLA for individual POLA for individual

applications Petsapplications Pets− Pets have limited rights Pets have limited rights − Only edit the file clickedOnly edit the file clicked

• Runs on XPRuns on XP− Does not depend upon Does not depend upon

CapabilitiesCapabilities

• Satan’s MacroSatan’s Macro− Enabled but confinedEnabled but confined− The PC does not get The PC does not get

infectedinfected

04/18/23 28

EE Programming Platform Programming Platform

• Support capability Support capability security security − Local and distributed Local and distributed

contextscontexts− Open source systemOpen source system− E programming languageE programming language

• Robust Robust − Operational software has Operational software has

been deployedbeen deployed− DarpaBrowser project DarpaBrowser project − Still a work in progressStill a work in progress− Not yet feature completeNot yet feature complete

http://www.erights.org/

When programming in E, you are automatically working in a capability secure environment. All references are secure references. All powers are accessible only through capabilities. Making an E program secure is largely a matter of thinking about the architecture before you code, and doing a security audit after you code.

04/18/23 29

E and CapDeskE and CapDesk

• Capability secure distributed Capability secure distributed file managementfile management

• Fine-grain grants of authority Fine-grain grants of authority • Easy file service configuration Easy file service configuration • Ad-hoc virtual private Ad-hoc virtual private

networking networking • Minimal-Authority application-Minimal-Authority application-

launching environment launching environment • Integration of usability, Integration of usability,

security, and functionality security, and functionality • Invulnerability to over-the-Invulnerability to over-the-

network attack network attack

Point-and-clickPoint-and-clickCapability-confined launchCapability-confined launch

Applications/Web Applications/Web BrowserBrowser

Negotiates endowments Negotiates endowments Authority granted on Authority granted on launchlaunch

Prevent window forgery Prevent window forgery

04/18/23 30

EE Language Demo Language Demo

• Capability-based security Capability-based security • Encrypted CommunicationEncrypted Communication• Deadlock avoidance Deadlock avoidance • Promise pipelinesPromise pipelines

• Alice pays Bob $10 Alice pays Bob $10 − Only a currency mint can Only a currency mint can

violate that currencyviolate that currency− The mint can only inflate The mint can only inflate

its own currencyits own currency− No one can affect a purse No one can affect a purse

balance they don't ownbalance they don't own− Two purses of a currency Two purses of a currency

can transfer moneycan transfer money− Balances are always non-Balances are always non-

negativenegative− Rely on reported deposits Rely on reported deposits

if one trusts the purseif one trusts the purse− Rights Amplification Rights Amplification

E-on-Java Download Page - licensed under Mozilla or Mozilla compatible open source license. E on Common Lisp - Kevin Reid's implementation of E on Common Lisp.

04/18/23 31

?? in new vat VatA? introducer.onTheAir()? var x := 0? def counter { to incr() :any { x += 1 x } }? counter.incr()? x? def sr := makeSturdyRef.temp(counter)? def uri := introducer.sturdyToURI(sr)? <file:counter.cap>.setText(uri)

?? in new vat VatB? introducer.onTheAir()? def uri := <file:counter.cap>.getText()? def sr := introducer.sturdyFromURI(uri)? def remote := sr.getRcvr()? remote.incr()

Distributed Capability DemoDistributed Capability Demo

• Distributed Counter AccessDistributed Counter Access• VatBVatB− BobBob

• VatAVatA− Alice & Alice &

CarolCarol

04/18/23 32

Capability Security DemoCapability Security Demo

• Alice Pays Bob $10.00Alice Pays Bob $10.00

mint

$100

$0

$200namesealerunsealer

buy

$90 $210

$10

makePurse

deposit

deposit

04/18/23 33

CapBox ArchitectureCapBox Architecture

• CapDesk/DarpaBrowser CapDesk/DarpaBrowser − Use CapabilitiesUse Capabilities− A manager on behalf of a A manager on behalf of a

confined applicationconfined application• Granting authority Granting authority • RevocationRevocation

− Launches an appLaunches an app• Conveys the endowed Conveys the endowed

authorities authorities • Negotiates authorities Negotiates authorities

during executionduring execution− For the applicationFor the application− With the userWith the user− For revocation For revocation

Capability DelegationCapability Delegation

• Communication only by messages on referencesCommunication only by messages on references− Reference graph == Access graphReference graph == Access graph

• Connectivity leads to SecurityConnectivity leads to Security

def makeReadOnlyFile(fullPowerFile) { def readOnlyFile { to getBytes() { return fullPowerFile.getBytes() } } return readOnlyFile}

I say: myLawyer.myDeath(myReadOnlyWill)

04/18/23 35

The Confused Deputy SolvedThe Confused Deputy Solved

• Access Secure Access Secure AbstractionsAbstractions

• All Classes are also All Classes are also gatekeepersgatekeepers

• Use normal behaviour to Use normal behaviour to control security policycontrol security policy

• Further limits actual Further limits actual authorityauthority

• Leads to POLA by Leads to POLA by degreesdegrees

Full Trust 2Full Trust 2ndnd PartyParty

Un-trusted 2Un-trusted 2ndnd PartyParty

22ndnd & 3 & 3rdrd Party Party IsolatedIsolated

Perimeter Perimeter SecuritySecurity Confinement Confinement

22ndnd & 3 & 3rdrd Party Party ConnectedConnected

Confused Confused DeputyDeputy

Communicating Communicating ConspiratorsConspirators

04/18/23 36

POLA Rules for Granma POLA Rules for Granma

• Just say no when an ApplicationJust say no when an Application− Asks for additional different authoritiesAsks for additional different authorities− Asks to read or edit anything more than a Asks to read or edit anything more than a

Desktop folderDesktop folder− Asks for edit authority on other stuffAsks for edit authority on other stuff− Asks for read authority on odd stuff, with a Asks for read authority on odd stuff, with a

connection to the Webconnection to the Web

• If an Application Install..If an Application Install..− Proposes a name or an iconProposes a name or an icon

• Give it a new name and new icon and a new folder pathGive it a new name and new icon and a new folder path

− Asks for Web access, beyond 1 or 2 specific sitesAsks for Web access, beyond 1 or 2 specific sites• Always say No unless it is a trusted Web browserAlways say No unless it is a trusted Web browser

http://www.combex.com/papers/darpa-report/DarpaBrowserFinalReport.doc

04/18/23 37

What of the Future?What of the Future?

• Object Oriented ProgramsObject Oriented Programs−More implementations that support good software More implementations that support good software

modularitymodularity

• Principle Of Least Authority (POLA) Principle Of Least Authority (POLA) − PowerBox tools based on “Need to Know”PowerBox tools based on “Need to Know”

• Capabilities Capabilities − Languages with embedded guarantees for POLA Languages with embedded guarantees for POLA

access to Networked Objectsaccess to Networked Objects

• CapBox Security CapBox Security −Where only “a knowledge of, gives some right of Where only “a knowledge of, gives some right of

useuse" "

04/18/23 38

Object Capability Time LineObject Capability Time Line

• 196x: 196x: • Dennis & Van Horn - MIT - PDP-1 Supervisor, Bob Fabry - Magic Number Dennis & Van Horn - MIT - PDP-1 Supervisor, Bob Fabry - Magic Number

Machine - U of Chicago, Hamer-Hodges, England et al System 250 - Machine - U of Chicago, Hamer-Hodges, England et al System 250 - Plessey Corporation, Simula Dahl, Myhrhaug and Nygaard at the Plessey Corporation, Simula Dahl, Myhrhaug and Nygaard at the Norwegian Computing Center, Oslo Norwegian Computing Center, Oslo

• 197x:197x:• Roger Needham, M Wilkes CAP - Cambridge University, Bill Wolf Hydra Roger Needham, M Wilkes CAP - Cambridge University, Bill Wolf Hydra

Carnegie Mellon, Butler Lampson Sturgis – CAL-TSS, RATS & NLTSS - Carnegie Mellon, Butler Lampson Sturgis – CAL-TSS, RATS & NLTSS - Lawrence Livermore, Actors MIT, PSOS SRI, StarOS Carnegie Mellon, Lawrence Livermore, Actors MIT, PSOS SRI, StarOS Carnegie Mellon, GNOSIS/KeyKOS – Tymshare, System/38 – IBM GNOSIS/KeyKOS – Tymshare, System/38 – IBM

• 198x: 198x: • Smalltalk Alan Kay et al at Xerox PARC, Objective-C Brad Cox and Tom Smalltalk Alan Kay et al at Xerox PARC, Objective-C Brad Cox and Tom

Love at Stepstone, Steve Jobs NeXT machine, Bjarne Stroustrop in his Love at Stepstone, Steve Jobs NeXT machine, Bjarne Stroustrop in his development of C++, Amoeba - Free University Amsterdam, iAPX 432 - development of C++, Amoeba - Free University Amsterdam, iAPX 432 - Intel Intel

• 199x: 199x: • EROS and E - Jonathan Ree's thesis on W7, J-KernelEROS and E - Jonathan Ree's thesis on W7, J-Kernel

• 200x: 200x: • CapDesk, PowerBox, DarpaBrowser, PolarisCapDesk, PowerBox, DarpaBrowser, Polaris

Finally…?Finally…? From DeskTop to CapBox From DeskTop to CapBox

From Web Explores to CapBrowsersFrom Web Explores to CapBrowsers

CapDesk will Polarize the DeskTop <- Pola-VistaCapDesk will Polarize the DeskTop <- Pola-Vista

Google is developing Capability Based Network Google is developing Capability Based Network BrowsingBrowsing

Unquestionably more to come on both Object-Unquestionably more to come on both Object-Capabilities and POLACapabilities and POLA