| | |
Summary: Code-Carrying Authorization
Sergio Maffeis2,3, Mart´in Abadi1,2, C´edric Fournet1, and Andrew D. Gordon1
1 Microsoft Research
2 University of California, Santa Cruz
3 Imperial College London
Abstract. In authorization, there is often a wish to shift the burden of proof to
those making requests, since they may have more resources and more specific
knowledge to construct the required proofs. We introduce an extreme instance of
this approach, which we call Code-Carrying Authorization (CCA). With CCA,
access-control decisions can partly be delegated to untrusted code obtained at
run-time. The dynamic verification of this code ensures the safety of authorization
decisions. We define and study this approach in the setting of a higher-order spi
calculus. The type system of this calculus provides the needed support for static
and dynamic verification.
1 Introduction
The generation, transmission, and checking of evidence plays a central role in autho-
rization. The evidence may include, for instance, certificates of memberships in groups,
delegation assertions, and bindings of keys to principals. Typically, the checking is done
dynamically, that is, at run-time, in reference monitors. When a reference monitor con-
siders a request from a principal, it evaluates the evidence supplied by the principal
|
