feat: add capability prescripts — LoggedCap (audit trail) and DualKey#40
Merged
feat: add capability prescripts — LoggedCap (audit trail) and DualKey#40
Conversation
…Cap (dual authorization)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Primarily following from these papers:
Saltzer & Schroeder (1975), specifically two design principles:
LoggedCap implements Design Principle #8: Compromise Recording — "mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss." The paper notes that "many computer systems record the date and time of the most recent use of each file. If this record is tamperproof and reported to the owner, it may help discover unauthorized use."
LoggedCapdoes this — append-only, tamper-resistant (noclear()orremove()methods), records timestamp + permission + outcome for every exercise.DualKeyCapimplements Design Principle #5: Separation of Privilege — "a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key." The paper gives the nuclear launch example: "two different people both give the correct command." ApproverA and ApproverB being!Clonemove-only handles enforces that once distributed, no single holder can approve both sides.Both types also implement the paper's prescript concept (Section II.C.4) — "a rule that must be followed before access to an object is permitted, thereby introducing an opportunity for human judgment." The paper lists five prescript actions: (1) no action, (2) audit trail logging, (3) cooling-off delay, (4) buddy system approval, (5) external authorization signal. LoggedCap is prescript #2, DualKeyCap is prescript #4.
Secondary connections:
Cap::new()being pub(crate) is the software analog of their hardware-enforced capability creation.!Has<P>design on both types preserves Wyvern's non-transitive authority property — holding aLoggedCap<FsRead>does not give you the same authority as holding aCap<FsRead>, because you must go through the fallibletry_cap()gate. This is the "caretaker" pattern from the object-capability literature that Melicher formalizes.