CSR---PDOS: Distributed Capability Systems
University Of Maryland, College Park, College Park MD
Investigators
Abstract
This project is developing a novel capability-based security infrastructure for wide-area collaborative systems, especially file systems. The new capability-based approach (chits) provides the ability to enforce several strong security invariants, without compromising the traditional advantages of capabilities in localized control and efficiency. The resulting functionality addresses a number of issues that have previously prevented capabilities from being widely used in distributed systems. This system is based around the concept of a chit, which is a new form of capability that permits fine-grained manipulation of both the set of data that is the chit's target, and of the set of rights that the chit materializes. Chits also support defining and verifying flexible identities, allowing them to implement security policies that range from allowing anonymous access to providing strict accountability. Chits permit remote delegation, allowing users to, without contacting a server, derive new chits that will grant other users (limited) access to (a subset of) the data. Remote delegation decouples the specification of access control policy from its application. Chits permit fine grained revocation, allowing a chit holder to deny accesses to (a subset of) data. Chits provide an effective means of creating collaborative applications in which users, not servers and administrators, define policy and grant access to other users. A formal taxonomy of chit operations and rights is being developed, the chits are being embedded a general chit library, and the library is being used to build a collaborative file system.
View original record on NSF Award Search →