Butler
Lampson
Citation: In Software System Reliability and Security, Proceedings of the 2006 Marktoberdorf Summer school.
Links: Abstract, Acrobat, Web page, Word. Slides for the lectures, which present much of the same material, are here.
Email: blampson@microsoft.com. This paper is at http://research.microsoft.com.
Abstract:
The
standard model for computer security is access control: deciding whether or not
to accept a request from a source to do an operation on an object. Determining
the source of a request is called authentication; deciding whether to accept it
is called authorization.
In a
system with many parts, especially when they are managed by different
authorities, determining the source of a request is not simple. The
authorization policy is probably something like “members of the Alpha project
team may read and write the files in the /projects/alpha directory”. The direct
information that the object has about the source of the request is usually that
it was signed by some cryptographic key. These lectures are about bridging the
gap between the key and the project team.
The key
ideas are principals, a relation between principals called “speaks for”, a
logic for reasoning about what resources a principal can speak for, and rules
for abstracting from the bits exchanged among interacting parties to logical
formulas. These ideas provide a way to reason formally about delegation, names,
groups, computer systems, applications, and authorization policy.