An extended capability architecture to enforce dynamic access control policies

Capability has been widely used as a fundamental mechanism for access control in distributed systems. When an object manager receives a capability from a user process for accessing an object, it verifies the genuineness of the capability and checks whether the access request is allowed with the access rights placed on the capability. Capabilities have been recognized to be more suitable than centralized access control lists for object protection in a distributed system because of several obvious reasons. However, most existing capability based systems can only enforce static access control policies, which means all the access privileges a user possesses for an object are fully represented by a capability and will not change due to object access. These capability systems cannot be used to enforce dynamic access control policies, required by many complex applications, in which each authorization may depend upon a user´s access history and/or an object´s history of being accessed. The paper proposes an extended capability architecture to enforce dynamic access control policies both effectively and efficiently. The key issue is how to capture the dynamic access information in both capabilities and object managers while avoiding main disadvantages of centralized access control lists. A number of frequently desired security policies are used to demonstrate the power and flexibility of the proposed architecture. The problems regarding capability management including propagation, revocation, and distribution of capabilities are also discussed