Capability-based security

Abstract: Named data networking (NDN) enhances traditional IP networking by supporting in-network content caching for better bandwidth usage and location-independent data accesses for multi-path forwarding. However, NDN also brings new security challenges. For example, an adversary can arbitrarily inject packets to NDN to poison content cache, or access content packets without any restrictions. We propose capability-based security enforcement architecture (CSEA), a capability-based security enforcement architecture that enables data authenticity in NDN in a distributed manner. CSEA leverages capabilities to specify the access rights of forwarded packets. It allows NDN routers to verify the authenticity of forwarded packets, and throttles flooding-based DoS attacks from unsolicited packets. We further develop a lightweight one-time signature scheme for CSEA to ensure the timeliness of packets and support efficient verification. We prototype CSEA on the open-source CCNx platform, and evaluate CSEA via testbed and Planetlab experiments. Our experimental results show that CSEA only incurs around 4% of additional delays in retrieving data packets.

Abstract: Object-based programming is becoming more and more popular and is currently conquering the world of distributed programming models. In object-based systems, access control is often based on capabilities, as capability-based security is a well-known paradigm. It has been extended by means to restrict, revoke, and expire capabilities. On the other hand, capabilities have serious drawbacks. First, in object-based systems, programming is based on the frequent exchange of object references (i.e., capabilities). Thus, it is hard to check which parts of an application are able to gain control of a certain capability. This becomes even harder if we consider distributed object-based systems like Java RMI and CORBA. Second. a capability usually cannot prevent method invocations from leaking unprotected references as return values. Transitive access control is not possible in a transparent way, which is independent of the code describing the invocation. We present a new security paradigm based on meta objects. Meta objects can be attached to object references and control access to the corresponding objects. Meta objects offer the same functionality as capability-based security. In addition. they can be used for implicit and transitive access control of object references passed as a parameter or as a result. Such a reference can be automatically protected by the meta object by attaching itself or another meta object to the reference before passing it on. Meta objects can implement arbitrary and user-defined security policies. They help to separate security policies from application code, and thus support reuse.

Abstract: In this paper we describe SpartanRPC, a secure middleware technology for wireless sensor network (WSN) applications supporting cooperation between distinct protection domains. The SpartanRPC system extends the nesC programming language to provide a link-layer remote procedure call (RPC) mechanism, along with an extension of nesC configuration wirings that allow specification of remote, dynamic endpoints. SpartanRPC also incorporates a capability-based security architecture for protection of RPC resources in a heterogeneous trust environment, via language-level policy specification and enforcement. We discuss an implementation of SpartanRPC based on program transformation and AES cryptography, and present empirical performance results.

Abstract: In distributed systems, capability-based security provides substantial performance and scalability advantages over traditional user-based authentication. Unfortunately, the usual implementation of this concept in a networked context, the password capability, suffers from problems of uncontrolled rights propagation: once a capability has been issued, its issuer no longer has any control over its delegation. Its password can be disseminated, maliciously or accidentally, in arbitrary ways.This paper introduces BottleCap, a capability container that addresses this problem. Using Trusted Computing technologies, BottleCap binds capabilities to the machine to which they are issued, holding their secrets in sealed storage. Users can still freely wield the rights represented by the capabilities they hold, but cannot discover the secrets underpinning those capabilities, preventing the delegation of the rights they represent except under the supervision of BottleCap.