Ambient authority
Encyclopedia
Ambient authority is a term used in the study of access control
systems.
A subject, such as a computer program, is said to be using
ambient authority, if making a request that only specifies the names
of the object(s) involved and the operation to be performed on them,
is enough for a permitted action to succeed.
In this definition,
The authority is "ambient" in the sense that it exists in a broadly
visible environment (often, but not necessarily a global environment)
where any subject can request it by name.
For example, suppose a C program opens a file for read access
by executing the call:
open("filename", O_RDONLY, 0)
The desired file is designated by its name on the filesystem,
which does not by itself include authorising information, so the program
is exercising ambient authority.
When ambient authority is requested, permissions are granted or denied
based on one or more global properties of the executing program,
such as its identity or its role.
In such cases,
the management of access control
is handled separately
from explicit communication
to the executing program or process
,
through means such as access control list
s associated with objects
or through Role-Based Access Control
mechanisms.
The executing program has no means to reify
the permissions
that it was granted for a specific purpose as first-class values.
So, if the program should be able to access an object when acting on
its own behalf but not when acting on behalf of one of its clients (or, on
behalf of one client but not another), it has no way to express
that intention. This inevitably leads to such programs
being subject to the Confused deputy problem
.
The term "ambient authority" is used primarily
to contrast with capability-based security
(including object-capability model
s),
in which executing programs receive permissions
as they might receive data, as communicated first-class object
references.
This allows them to determine where the permissions came from,
and thus avoid the Confused deputy problem. However, since there
are additional requirements for a system to be considered a
capability system besides avoiding ambient authority,
"non-ambient authority system" is not just a synonym for "capability system".
Ambient authority
is the dominant form of access control
in computer systems today.
The user model of access control
as used in Unix and in Windows systems
is an ambient authority model
because programs execute
with the authorities of the user that started them.
This not only means that executing programs
are inevitably given more permissions
(see Principle of least privilege
)
than they need for their task,
but that they are unable to determine
the source or the number and types of permission that they have.
A program executing under an ambient authority access control model
has little option but to designate permissions
and try to exercise them, hoping for the best.
This property requires an excess of permissions
to be granted to users or roles,
in order for programs to execute without error.
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
systems.
A subject, such as a computer program, is said to be using
ambient authority, if making a request that only specifies the names
of the object(s) involved and the operation to be performed on them,
is enough for a permitted action to succeed.
In this definition,
- a "name" is any way of referring to an object that does not itself include authorising information, and could potentially be used by any subject;
- an action is "permitted" for a subject if there exists any request that that subject could make that would cause the action to be carried out.
The authority is "ambient" in the sense that it exists in a broadly
visible environment (often, but not necessarily a global environment)
where any subject can request it by name.
For example, suppose a C program opens a file for read access
by executing the call:
open("filename", O_RDONLY, 0)
The desired file is designated by its name on the filesystem,
which does not by itself include authorising information, so the program
is exercising ambient authority.
When ambient authority is requested, permissions are granted or denied
based on one or more global properties of the executing program,
such as its identity or its role.
In such cases,
the management of access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
is handled separately
from explicit communication
to the executing program or process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
,
through means such as access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s associated with objects
or through Role-Based Access Control
Role-Based Access Control
In computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
mechanisms.
The executing program has no means to reify
Reification (computer science)
Reification is the process by which an abstract idea about a computer program is turned into an explicit data model or other object created in a programming language. A computable/addressable object — a resource — is created in a system as a proxy for a non computable/addressable object...
the permissions
that it was granted for a specific purpose as first-class values.
So, if the program should be able to access an object when acting on
its own behalf but not when acting on behalf of one of its clients (or, on
behalf of one client but not another), it has no way to express
that intention. This inevitably leads to such programs
being subject to the Confused deputy problem
Confused deputy problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
.
The term "ambient authority" is used primarily
to contrast with capability-based security
Capability-based security
Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
(including object-capability model
Object-capability model
The object-capability model is a computer security model based on the Actor model of computation. The name "object-capability model" is due to the idea that the capability to perform an operation can be obtained by the following combination:...
s),
in which executing programs receive permissions
as they might receive data, as communicated first-class object
First-class object
In programming language design, a first-class citizen , in the context of a particular programming language, is an entity that can be constructed at run-time, passed as a parameter, returned from a subroutine, or assigned into a variable...
references.
This allows them to determine where the permissions came from,
and thus avoid the Confused deputy problem. However, since there
are additional requirements for a system to be considered a
capability system besides avoiding ambient authority,
"non-ambient authority system" is not just a synonym for "capability system".
Ambient authority
is the dominant form of access control
in computer systems today.
The user model of access control
as used in Unix and in Windows systems
is an ambient authority model
because programs execute
with the authorities of the user that started them.
This not only means that executing programs
are inevitably given more permissions
(see Principle of least privilege
Principle of least privilege
In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module must be able to access only the...
)
than they need for their task,
but that they are unable to determine
the source or the number and types of permission that they have.
A program executing under an ambient authority access control model
has little option but to designate permissions
and try to exercise them, hoping for the best.
This property requires an excess of permissions
to be granted to users or roles,
in order for programs to execute without error.