Unforgeable privileges and privilege delegation avoidance

[ivan]

The hails paper instantly made me think of protection to banking websites. If a personal access key security is compromised it makes a lot of sense to only allow certain access points, domains or channels to access the account's data.

To give some context: In Mexico, where I used to live, for both historical reasons** credit cards are not so popular, but electronic wire transfer via the banks website is the most common money exchange form.  Obviously because of this there is a sever problem with the multitude of attacks done to gain access to people's accounts. Today there's a dual user validation system where the bank issues both a printed card(looks like a credit card with lotto numbers) with a set unique key codes per user, which after compromised , was followed by giving each account holder a SecurId time based RSA generator keychain. Here's where a secure website architecture like Hails would make sense: The next step was that account burglars started installing trojans in bank computers, and even physically installed infected computers in banks for people to check their account statements while waiting. Plus there's a multitude of phishing sites acting as gateways that look identical to the bank sites trying to gain even temp access to the users key code in a sort of man in the middle attack.

Now a question regarding the implementation: I was wondering how is it that hails ensure that privileges objects are unforgeable? which method is used? "The trusted Hails runtime supports unforgeable objects called privileges with which code can assert the authority of principals"

A second question is why exactly was privilege delegation avoided?
 "

While earlier version of GitStar utilized privilege delegation, we now largely avoid it; in many cases, we found 

modifying the policy to be a better alternative."

** Around 18 years ago there was a very sever economic crisis which raises interest levels to some ridiculously high amounts, making most people default on their credits and being unable to get a credit card until many, many years later.

[Deian Stefan]

Now a question regarding the implementation: I was wondering how is it that hails ensure that privileges objects are unforgeable? which method is used? "The trusted Hails runtime supports unforgeable objects called privileges with which code can assert the authority of principals"

Essentially just by using the Haskell type system. The privilege data type is defined as*:

data Priv = PrivTCB PrivDescription

With Safe Haskell we can make sure that VC and MP code cannot create a value of this type by effectively making the constructor PrivTCB not available to them. Trusted code like the HTTP server, however, can use the constructor and create such values.

A second question is why exactly was privilege delegation avoided?
 "

While earlier version of GitStar utilized privilege delegation, we now largely avoid it; in many cases, we found 

modifying the policy to be a better alternative."

With the MP privilege you can essentially do anything you want (a la insert/fetch/etc. from that MP), so you typically don't want to delegate this privilege unless you need to. And, if restructuring code lets you do this, you should typically take this approach.

* Actually, it's a bit different but effectively the same thing. See this.