BibTeX for papers by David Kotz; for complete/updated list see https://www.cs.dartmouth.edu/~kotz/research/papers.html @InProceedings{howell:end-to-end, author = {Jon Howell and David Kotz}, title = {{End-to-end authorization}}, booktitle = {{Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI)}}, year = 2000, month = {October}, pages = {151--164}, publisher = {USENIX Association}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-end-to-end/index.html}, abstract = {Many boundaries impede the flow of authorization information, forcing applications that span those boundaries into hop-by-hop approaches to authorization. We present a unified approach to authorization. Our approach allows applications that span administrative, network, abstraction, and protocol boundaries to understand the end-to-end authority that justifies any given request. The resulting distributed systems are more secure and easier to audit. \par We describe boundaries that can interfere with end-to-end authorization, and outline our unified approach. We describe the system we built and the applications we adapted to use our unified authorization system, and measure its costs. We conclude that our system is a practical approach to the desirable goal of end-to-end authorization.}, } @Article{howell:restricted, author = {Jon Howell and David Kotz}, title = {{Restricted delegation: seamlessly spanning administrative boundaries}}, journal = {ACM Operating Systems Review}, year = 2000, month = {April}, volume = 34, number = 2, pages = {38--39}, publisher = {ACM}, copyright = {the authors}, DOI = {10.1145/346152.346268}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-restricted/index.html}, } @TechReport{howell:spki-tr, author = {Jon Howell and David Kotz}, title = {{A Formal Semantics for SPKI}}, institution = {Dartmouth Computer Science}, year = 2000, month = {March}, number = {TR2000-363}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-spki-tr/index.html}, abstract = {We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.}, } @InProceedings{howell:spki, author = {Jon Howell and David Kotz}, title = {{A Formal Semantics for SPKI}}, booktitle = {{Proceedings of the European Symposium on Research in Computer Security (ESORICS)}}, series = {Lecture Notes in Computer Science}, year = 2000, month = {October}, volume = 1895, pages = {140--158}, publisher = {Springer-Verlag}, copyright = {Springer-Verlag}, DOI = {10.1007/10722599_9}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-spki/index.html}, abstract = {We extend the logic and semantics of authorization due to Abadi, Lampson, et al. to support restricted delegation. Our formal model provides a simple interpretation for the variety of constructs in the Simple Public Key Infrastructure (SPKI), and lends intuition about possible extensions. We discuss both extensions that our semantics supports and extensions that it cautions against.}, } @PhdThesis{howell:thesis, author = {Jonathan R. Howell}, title = {{Naming and sharing resources across administrative boundaries}}, school = {Dartmouth College Computer Science}, year = 2000, month = {June}, copyright = {Jonathan R. Howell}, address = {Hanover, NH}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-thesis/index.html}, note = {Available as Dartmouth Computer Science Technical Reports TR2000-378, 379, and 380}, abstract = {I tackle the problem of naming and sharing resources across administrative boundaries. Conventional systems manifest the hierarchy of typical administrative structure in the structure of their own mechanism. While natural for communication that follows hierarchical patterns, such systems interfere with naming and sharing that cross administrative boundaries, and therefore cause headaches for both users and administrators. I propose to organize resource naming and security, not around administrative domains, but around the sharing patterns of users. \par The dissertation is organized into four main parts. First, I discuss the challenges and tradeoffs involved in naming resources and consider a variety of existing approaches to naming. \par Second, I consider the architectural requirements for user-centric sharing. I evaluate existing systems with respect to these requirements. \par Third, to support the sharing architecture, I develop a formal logic of sharing that captures the notion of restricted delegation. Restricted delegation ensures that users can use the same mechanisms to share resources consistently, regardless of the origin of the resource, or with whom the user wishes to share the resource next. A formal semantics gives unambiguous meaning to the logic. I apply the formalism to the Simple Public Key Infrastructure and discuss how the formalism either supports or discourages potential extensions to such a system. \par Finally, I use the formalism to drive a user-centric sharing implementation for distributed systems. I show how this implementation enables end-to-end authorization, a feature that makes heterogeneous distributed systems more secure and easier to audit. Conventionally, gateway services that bridge administrative domains, add abstraction, or translate protocols typically impede the flow of authorization information from client to server. In contrast, end-to-end authorization enables us to build gateway services that preserve authorization information, hence we reduce the size of the trusted computing base and enable more effective auditing. I demonstrate my implementation and show how it enables end-to-end authorization across various boundaries. I measure my implementation and argue that its performance tracks that of similar authorization mechanisms without end-to-end structure. \par I conclude that my user-centric philosophy of naming and sharing benefits both users and administrators.}, } @TechReport{howell:calculus-tr, author = {Jon Howell and David Kotz}, title = {{An Access-Control Calculus for Spanning Administrative Domains}}, institution = {Dartmouth Computer Science}, year = 1999, month = {November}, number = {PCS-TR99-361}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-calculus-tr/index.html}, abstract = {In our quest to give users uniform access to resources unimpeded by administrative boundaries, we discovered that we needed transitive sharing among users, with the possibility of restricted access along each sharing link. To achieve that goal, we extend Lampson et al.'s calculus for access control to support restricted delegations. We discuss the advantages of our extension, including the simplification of constructs like ACLs and statement expiration. We also apply our extension to model the Simple Public Key Infrastructure and make suggestions about its future development. Our extended calculus exposes some surprising consequences in such systems that use restricted delegation.}, } @TechReport{howell:snowflake2-tr, author = {Jon Howell and David Kotz}, title = {{Snowflake: Spanning Administrative Domains}}, institution = {Dartmouth Computer Science}, year = 1998, month = {December}, number = {PCS-TR98-343}, copyright = {the authors}, URL = {https://www.cs.dartmouth.edu/~kotz/research/howell-snowflake2-tr/index.html}, abstract = {Many distributed systems provide a ``single-system image'' to their users, so the user has the illusion that they are using a single system when in fact they are using many distributed resources. It is a powerful abstraction that helps users to manage the complexity of using distributed resources. The goal of the Snowflake project is to discover how single-system images can be made to span administrative domains. Our current prototype organizes resources in namespaces and distributes them using Java Remote Method Invocation. Challenging issues include how much flexibility should be built into the namespace interface, and how transparent the network and persistent storage should be. We outline future work on making Snowflake administrator-friendly.}, }