CapNet: Capability Enabled Networking
Modern scientific experiments have outgrown the capacity of a single lab. They require the storage and processing power of a datacenter, involve cross-institutional access to sensitive data, and span multiple domains of administrative trust. In such a setting, security is fragile. In the face of a steady growth of sophisticated cyber-attack tools, modern server and desktop machines are fundamentally insecure. Over two hundred critical vulnerabilities that allow unrestricted access to the entire system are discovered in the Linux kernel each year. Lacking flexibility to express fine-grained access control policies, modern networks often give vulnerable hosts excessive or even unrestricted connectivity to the rest of the network. An exploit of any host enables attackers to explore, exploit and take control over an entire cyber facility. Without support form the network, scientific facilities will remain vulnerable. The key elements needed to secure them are: 1) “off by default” behavior, with connectivity granted on as-needed basis; 2) mechanisms for decentralized, application-driven dynamic management of connectivity; and 3) a formal foundation enabling secure collaboration of fine-grained, dynamic, multi-institutional principals.
To address these concerns we will create CapNet, a novel network access control layer that enables secure, least privilege collaboration in the cross-institutional environment of a modern research instrument. Building on the principles of capability access control, CapNet represents the network as an access control graph. Nodes are network hosts, edges (or “capabilities”) are pointers to other hosts allowing communication and further exchange of rights. By controlling the initial distribution of capabilities and their flow, CapNet governs network interactions through fine-grained, application-driven policies that enable safe collaboration among multiple institutions and third-party services. A key feature of CapNet is the clean separation of policy and mechanism. CapNet implements a minimal, trusted layer of access control that can be deployed across multiple institutions, research instruments, and administrative domains to provide a unified mechanism for expressing rich access control policies.