Secure Abstraction with Code Capabilities
This addresses secure access control for cloud computing applications, such as sports analytics, but appears incremental as it builds on existing cryptographic and capability-based methods.
The paper tackled the problem of enabling flexible discretionary access control in cloud-like infrastructures by embedding executable code fragments in cryptographically protected capabilities, resulting in a user-space implementation that supports restricted delegation, confinement, revocation, and rights amplification.
We propose embedding executable code fragments in cryptographically protected capabilities to enable flexible discretionary access control in cloud-like computing infrastructures. We are developing this as part of a sports analytics application that runs on a federation of public and enterprise clouds. The capability mechanism is implemented completely in user space. Using a novel combination of X.509 certificates and Javscript code, the capabilities support restricted delegation, confinement, revocation, and rights amplification for secure abstraction.