Paradigm Regained: Abstraction Mechanisms for Access Control
Google TechTalks July 12, 2006 Mark Miller Open Source Coordinator E Project at erights.org Dr. Miller is a designer of several distributed secure programming languages including Vulcan for Xerox PARC, Trusty Scheme for AutoDesk, Joule for Agorics and Fujitsu, Tclio for Sun Labs, and E for Electric Communities, ERights.org, Combex, and HP. ABSTRACT The first Authorization Based Access Control (ABAC) model dates from Dennis and van Horn's 1965 Supervisor. Strikingly, their paper does not mention security as a separate concern. Rather, they considered modularity, naming, abstraction, composition, and security as inherently related problems, to be simultaneously addressed by a unified set of abstraction mechanisms. The close relationship between their model, lambda calculus, and object-oriented languages was appreciated and stated clearly by the mid 1970s. To emphasize these relationships, we term their model "object-capabilities". Unfortunately, the formal models of access control used in the academic security literature created a tragic disconnect between theory and practice. These models implicitly assumed away the power that abstraction contributes to security. With these blinders on, security theorists then "proved" that object-capability systems could not enforce various basic policies, despite the existence of actual systems that were already doing so.