Daohub-io / cap9

Capability-based security protocol for smart contracts
Apache License 2.0
22 stars 10 forks source link

Procedure#Register Capability (Enforced with Subsets) #110

Closed Latrasis closed 5 years ago

Latrasis commented 5 years ago

Following from discussion in #108. We are replacing push and delete capabilities (#108,#109) with an enforced register capability (#47) instead.

We need to revert #proc_reg and allow pushing capabilities equal to or subset of the caller's capabilities. This requires the Register capability interface and tests at PR #102, to be reverted, and #47 to be amended.

User Interface:

The user must use #proc_reg:

function proc_reg(uint8 capIndex, bytes32 procId, address procAddr, Capability[] caps) returns (uint32 err)

Where the Capability type is defined as:

struct Capability {
    uint8 targetCapIndex;
    bytes32[] subvalues; // If full capability, must have length 0
}

For Pushing a Full capability X

X must have X.subvalues.length == 0

Test

We need a test that:

For Pushing a Subset capability Y

1 < Y.subvalues.length < 5

Y.subvalues is defined as a non-empty list of either: string[] or uint256[]

Test

For Store Caps:

We need a test that:

JakeOShannessy commented 5 years ago

I've spec'ed out precise definitions of subsets in the spec. I'm not sure if what parts of that which you've proposed above should be kernel side and what should be user side, but I'll give my thoughts on where that line should lie. Given what is currently implemented I think we should leave minting and definitions to the user space. Here's my thinking:

  1. Less code in the kernel is good.
  2. By only having the code that checks if one capability is the subset of another we simplify not just the amount of code but the complexity of the code paths, it's simply a boolean check.
  3. The steps to check if something is a subset is quite simple.
  4. We already do a heap of marshalling and formatting in user space just to execute the system call, and in fact that's how we currently do it.
  5. If we want the API to use targetCapIndex or the like, we can do that in the BeakerContract base class.

Also, Capability.subvalues.length == 0 does not imply a full cap for WRITE as currently defined. Maybe that should be a conversation on the spec.

Latrasis commented 5 years ago

@JakeOShannessy: Based on our discussion it would be pertinent to update the proc#reg syscall format to accomodate the CapIndex and CapSize.

JakeOShannessy commented 5 years ago

Being addressed in #129.

JakeOShannessy commented 5 years ago

This is complete as of #129.