Ambient authority

Last updated December 07, 2022

Ambient authority is a term used in the study of access control systems.

A subject, such as a computer program, is said to be using ambient authority if it only needs to specify the names of the involved object(s) and the operation to be performed on them in order for a permitted action to succeed.^[1]^[2]^[3]

In this definition,

a "name" is any way of referring to an object that does not itself include authorising information, and could potentially be used by any subject;
an action is "permitted" for a subject if there exists any request that that subject could make that would cause the action to be carried out.

The authority is "ambient" in the sense that it exists in a broadly visible environment (often, but not necessarily a global environment) where any subject can request it by name.

For example, suppose a C program opens a file for read access by executing the call:

 open("filename", O_RDONLY, 0)

The desired file is designated by its name on the filesystem, which does not by itself include authorising information, so the program is exercising ambient authority.

When ambient authority is requested, permissions are granted or denied based on one or more global properties of the executing program, such as its identity or its role. In such cases, the management of access control is handled separately from explicit communication to the executing program or process, through means such as access control lists associated with objects or through Role-Based Access Control mechanisms. The executing program has no means to reify the permissions that it was granted for a specific purpose as first-class values. So, if the program should be able to access an object when acting on its own behalf but not when acting on behalf of one of its clients (or, on behalf of one client but not another), it has no way to express that intention. This inevitably leads to such programs being subject to the confused deputy problem.

The term "ambient authority" is used primarily to contrast with capability-based security (including object-capability models), in which executing programs receive permissions as they might receive data, as communicated first-class object references. This allows them to determine where the permissions came from, and thus avoid the Confused deputy problem. However, since there are additional requirements for a system to be considered a capability system besides avoiding ambient authority, "non-ambient authority system" is not just a synonym for "capability system".

Ambient authority is the dominant form of access control in computer systems today. The user model of access control as used in Unix and in Windows systems is an ambient authority model because programs execute with the authorities of the user that started them. This not only means that executing programs are inevitably given more permissions (see Principle of least privilege) than they need for their task, but that they are unable to determine the source or the number and types of permission that they have.^[4] A program executing under an ambient authority access control model has little option but to designate permissions and try to exercise them, hoping for the best. This property requires an excess of permissions to be granted to users or roles, in order for programs to execute without error.

Related Research Articles

In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

In the security engineering subspecialty of computer science, a trusted system is one that is relied upon to a specified extent to enforce a specified security policy. This is equivalent to saying that a trusted system is one whose failure would break a security policy.

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and give Bob permission only to read it.

In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC).

In information security, a confused deputy is a computer program that is tricked by another program into misusing its authority on the system. It is a specific type of privilege escalation. The confused deputy problem is often cited as an example of why capability-based security is important.

Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, they use packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

In computer science, an access control matrix or access matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W. Lampson in 1971.

The Network Livermore Timesharing System is an operating system that was actively developed at Lawrence Livermore Laboratory from 1979 until about 1988, though it continued to run production applications until 1995. An earlier system, the Livermore Time Sharing System had been developed over a decade earlier.

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed without affecting the security attributes of objects that refer to the principal.

The object-capability model is a computer security model. A capability describes a transferable right to perform one operations on a given object. It can be obtained by the following combination:

Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose.

<span class="mw-page-title-main">Computer access control</span>

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

<span class="mw-page-title-main">Web API security</span>

Web API security entails authenticating programs or users who are invoking a web API.

References

↑ Miller, Mark S.; Yee, Ka-Ping; Shapiro, Jonathan (2003). "Capability Myths Demolished" (PDF).{{cite journal}}: Cite journal requires |journal= (help)
↑ Donnelley, Jed (6 October 2004). "[cap-talk] ... enforcement - ambient authority - definition?". cap-talk (Mailing list). Archived from the original on 2013-04-14. Retrieved June 28, 2012.
↑ Tribble, Dean (5 December 2002). "Re: [e-lang] "Capability Myths Demolished" => ambient authority revisited". e-lang (Mailing list). Retrieved June 28, 2012.
↑ Jed Donnelley (May 4, 2005). "Capability Computing at LLNL". In George A. Michael (ed.). Stories of the Development of Large Scale Scientific Computing at Lawrence Livermore National Laboratory; An Oral and Pictorial History . Retrieved 2022-12-06.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Miller, Mark S.; Yee, Ka-Ping; Shapiro, Jonathan (2003). "Capability Myths Demolished" (PDF).{{cite journal}}: Cite journal requires |journal= (help)

[2] Donnelley, Jed (6 October 2004). "[cap-talk] ... enforcement - ambient authority - definition?". cap-talk (Mailing list). Archived from the original on 2013-04-14. Retrieved June 28, 2012.

[3] Tribble, Dean (5 December 2002). "Re: [e-lang] "Capability Myths Demolished" => ambient authority revisited". e-lang (Mailing list). Retrieved June 28, 2012.

[jed2-4] Jed Donnelley (May 4, 2005). "Capability Computing at LLNL". In George A. Michael (ed.). Stories of the Development of Large Scale Scientific Computing at Lawrence Livermore National Laboratory; An Oral and Pictorial History . Retrieved 2022-12-06.

[1]

[2]

[3]

[4]

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250