[omniORB] Security/Authentication

Nathaniel Smith njs@pobox.com
Thu Feb 27 20:46:01 2003 

On Thu, Feb 27, 2003 at 09:29:06AM +0100, Hautesserres, Thomas wrote:
[...]
> - We have a security manager that can deliver security tokens against an
> authentication. We are using login/password, but anything else could do the
> trick. The returned token is an opaque structure, that has no meaning to
> anyone outside the security manager itself.
> 
> - When a user wants to access an object, it must contact a Factory for this
> kind of object. The factory is registered in a Naming Service. To retrieve
> an object, the user must pass a valid token to the factory. The factory uses
> the token to retrieve detailes information about the user from the security
> manager (including user's permissions). If it's OK, the factory returns a
> new object, which is associated with the user information (it's an hidden
> attribute of the object).
[...]

This is essentially using CORBA as a capability system, a la EROS[1] and
E[2].  There's a big problem with this, though, which is that it
assumes that object references are unforgeable -- that if you have a
reference to an object, then you obtained it legitimately and are
authorized to make invocations on that object.  This is true for EROS,
where there's kernel support for object references, and for E, where
they use huge (128 bit?) object identities and take special care that
they'll be unguessable.  I don't think the object id's generated by
Omni are so unguessable, though, and I'm certain that some other
issues aren't ideal (for instance, a malicious client can make
unlimited guesses at an object id without penalty).  Maybe I'm wrong,
but I would be very dubious about my security if I was depending on
CORBA being a capability system.

[1] http://eros-os.org
[2] http://erights.org

-- Nathaniel

-- 
"Lull'd in the countless chambers of the brain,
Our thoughts are link'd by many a hidden chain:
Awake but one, and lo! what myriads rise!
Each stamps its image as the other flies"
  -- Ann Ward Radcliffe, The Mysteries of Udolpho

This email may be read aloud.