SEC: object security

[Mike Prince]

On Mon, 31 Oct 1994, Chris Harris wrote:

> As for securing object handles, I propose the following: each object, 
> process, or whatever our unit of allocation for security, would have a 
> patch of memory that could only be accessed by the OS.  When you first 
> access an object, you specify what offset into this protected area to use 
> as the handle.  If access is allowed, the appropriate area of the secure 
> memory is updated to include the handle.  From then on, you could pass 
> the offset into the protected area instead of a handle.  The OS 
> would decode this, and use what it finds as the handle.  While it might 
> be slightly slower, it would be impossible to "guess" an object's handle, 

Nah, computers are good at chugging through lots of numbers to guess 
something.  You are going along the lines of a "key".  Show the key, 
access the object.  Why use an offset which is limited by the size of the 
object, just say its a key of n bits and store it at the beginning.

We are going to run into some problems in a distributed environment.  
Your agent, with keys, is running around, gets mugged and the keys are 
stolen.  Now someone else can issue an agent using copies of those keys 
to nab your data.  (You can see I'm having fun with these anologies).

One solution is to create a new key for each access.  A key is stolen and 
at worst 1 try at the data can happen.  Combine that with some logging of 
Agent origins and you might be able to trace it home.  Get enough 
workspaces to "convict" a rogue tool box/workspace and have it shut down.

Just having some fun with analogies, but the real world provides us with 
solutions to many of our computer problems.

Mike