|
cannam@135
|
1 # Copyright (c) 2014 Sandstorm Development Group, Inc. and contributors
|
|
cannam@135
|
2 # Licensed under the MIT License:
|
|
cannam@135
|
3 #
|
|
cannam@135
|
4 # Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
cannam@135
|
5 # of this software and associated documentation files (the "Software"), to deal
|
|
cannam@135
|
6 # in the Software without restriction, including without limitation the rights
|
|
cannam@135
|
7 # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
cannam@135
|
8 # copies of the Software, and to permit persons to whom the Software is
|
|
cannam@135
|
9 # furnished to do so, subject to the following conditions:
|
|
cannam@135
|
10 #
|
|
cannam@135
|
11 # The above copyright notice and this permission notice shall be included in
|
|
cannam@135
|
12 # all copies or substantial portions of the Software.
|
|
cannam@135
|
13 #
|
|
cannam@135
|
14 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
cannam@135
|
15 # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
cannam@135
|
16 # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
cannam@135
|
17 # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
cannam@135
|
18 # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
cannam@135
|
19 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
cannam@135
|
20 # THE SOFTWARE.
|
|
cannam@135
|
21
|
|
cannam@135
|
22 @0xb8630836983feed7;
|
|
cannam@135
|
23
|
|
cannam@135
|
24 $import "/capnp/c++.capnp".namespace("capnp");
|
|
cannam@135
|
25
|
|
cannam@135
|
26 interface Persistent@0xc8cb212fcd9f5691(SturdyRef, Owner) {
|
|
cannam@135
|
27 # Interface implemented by capabilities that outlive a single connection. A client may save()
|
|
cannam@135
|
28 # the capability, producing a SturdyRef. The SturdyRef can be stored to disk, then later used to
|
|
cannam@135
|
29 # obtain a new reference to the capability on a future connection.
|
|
cannam@135
|
30 #
|
|
cannam@135
|
31 # The exact format of SturdyRef depends on the "realm" in which the SturdyRef appears. A "realm"
|
|
cannam@135
|
32 # is an abstract space in which all SturdyRefs have the same format and refer to the same set of
|
|
cannam@135
|
33 # resources. Every vat is in exactly one realm. All capability clients within that vat must
|
|
cannam@135
|
34 # produce SturdyRefs of the format appropriate for the realm.
|
|
cannam@135
|
35 #
|
|
cannam@135
|
36 # Similarly, every VatNetwork also resides in a particular realm. Usually, a vat's "realm"
|
|
cannam@135
|
37 # corresponds to the realm of its main VatNetwork. However, a Vat can in fact communicate over
|
|
cannam@135
|
38 # a VatNetwork in a different realm -- in this case, all SturdyRefs need to be transformed when
|
|
cannam@135
|
39 # coming or going through said VatNetwork. The RPC system has hooks for registering
|
|
cannam@135
|
40 # transformation callbacks for this purpose.
|
|
cannam@135
|
41 #
|
|
cannam@135
|
42 # Since the format of SturdyRef is realm-dependent, it is not defined here. An application should
|
|
cannam@135
|
43 # choose an appropriate realm for itself as part of its design. Note that under Sandstorm, every
|
|
cannam@135
|
44 # application exists in its own realm and is therefore free to define its own SturdyRef format;
|
|
cannam@135
|
45 # the Sandstorm platform handles translating between realms.
|
|
cannam@135
|
46 #
|
|
cannam@135
|
47 # Note that whether a capability is persistent is often orthogonal to its type. In these cases,
|
|
cannam@135
|
48 # the capability's interface should NOT inherit `Persistent`; instead, just perform a cast at
|
|
cannam@135
|
49 # runtime. It's not type-safe, but trying to be type-safe in these cases will likely lead to
|
|
cannam@135
|
50 # tears. In cases where a particular interface only makes sense on persistent capabilities, it
|
|
cannam@135
|
51 # still should not explicitly inherit Persistent because the `SturdyRef` and `Owner` types will
|
|
cannam@135
|
52 # vary between realms (they may even be different at the call site than they are on the
|
|
cannam@135
|
53 # implementation). Instead, mark persistent interfaces with the $persistent annotation (defined
|
|
cannam@135
|
54 # below).
|
|
cannam@135
|
55 #
|
|
cannam@135
|
56 # Sealing
|
|
cannam@135
|
57 # -------
|
|
cannam@135
|
58 #
|
|
cannam@135
|
59 # As an added security measure, SturdyRefs may be "sealed" to a particular owner, such that
|
|
cannam@135
|
60 # if the SturdyRef itself leaks to a third party, that party cannot actually restore it because
|
|
cannam@135
|
61 # they are not the owner. To restore a sealed capability, you must first prove to its host that
|
|
cannam@135
|
62 # you are the rightful owner. The precise mechanism for this authentication is defined by the
|
|
cannam@135
|
63 # realm.
|
|
cannam@135
|
64 #
|
|
cannam@135
|
65 # Sealing is a defense-in-depth mechanism meant to mitigate damage in the case of catastrophic
|
|
cannam@135
|
66 # attacks. For example, say an attacker temporarily gains read access to a database full of
|
|
cannam@135
|
67 # SturdyRefs: it would be unfortunate if it were then necessary to revoke every single reference
|
|
cannam@135
|
68 # in the database to prevent the attacker from using them.
|
|
cannam@135
|
69 #
|
|
cannam@135
|
70 # In general, an "owner" is a course-grained identity. Because capability-based security is still
|
|
cannam@135
|
71 # the primary mechanism of security, it is not necessary nor desirable to have a separate "owner"
|
|
cannam@135
|
72 # identity for every single process or object; that is exactly what capabilities are supposed to
|
|
cannam@135
|
73 # avoid! Instead, it makes sense for an "owner" to literally identify the owner of the machines
|
|
cannam@135
|
74 # where the capability is stored. If untrusted third parties are able to run arbitrary code on
|
|
cannam@135
|
75 # said machines, then the sandbox for that code should be designed using Distributed Confinement
|
|
cannam@135
|
76 # such that the third-party code never sees the bits of the SturdyRefs and cannot directly
|
|
cannam@135
|
77 # exercise the owner's power to restore refs. See:
|
|
cannam@135
|
78 #
|
|
cannam@135
|
79 # http://www.erights.org/elib/capability/dist-confine.html
|
|
cannam@135
|
80 #
|
|
cannam@135
|
81 # Resist the urge to represent an Owner as a simple public key. The whole point of sealing is to
|
|
cannam@135
|
82 # defend against leaked-storage attacks. Such attacks can easily result in the owner's private
|
|
cannam@135
|
83 # key being stolen as well. A better solution is for `Owner` to contain a simple globally unique
|
|
cannam@135
|
84 # identifier for the owner, and for everyone to separately maintain a mapping of owner IDs to
|
|
cannam@135
|
85 # public keys. If an owner's private key is compromised, then humans will need to communicate
|
|
cannam@135
|
86 # and agree on a replacement public key, then update the mapping.
|
|
cannam@135
|
87 #
|
|
cannam@135
|
88 # As a concrete example, an `Owner` could simply contain a domain name, and restoring a SturdyRef
|
|
cannam@135
|
89 # would require signing a request using the domain's private key. Authenticating this key could
|
|
cannam@135
|
90 # be accomplished through certificate authorities or web-of-trust techniques.
|
|
cannam@135
|
91
|
|
cannam@135
|
92 save @0 SaveParams -> SaveResults;
|
|
cannam@135
|
93 # Save a capability persistently so that it can be restored by a future connection. Not all
|
|
cannam@135
|
94 # capabilities can be saved -- application interfaces should define which capabilities support
|
|
cannam@135
|
95 # this and which do not.
|
|
cannam@135
|
96
|
|
cannam@135
|
97 struct SaveParams {
|
|
cannam@135
|
98 sealFor @0 :Owner;
|
|
cannam@135
|
99 # Seal the SturdyRef so that it can only be restored by the specified Owner. This is meant
|
|
cannam@135
|
100 # to mitigate damage when a SturdyRef is leaked. See comments above.
|
|
cannam@135
|
101 #
|
|
cannam@135
|
102 # Leaving this value null may or may not be allowed; it is up to the realm to decide. If a
|
|
cannam@135
|
103 # realm does allow a null owner, this should indicate that anyone is allowed to restore the
|
|
cannam@135
|
104 # ref.
|
|
cannam@135
|
105 }
|
|
cannam@135
|
106 struct SaveResults {
|
|
cannam@135
|
107 sturdyRef @0 :SturdyRef;
|
|
cannam@135
|
108 }
|
|
cannam@135
|
109 }
|
|
cannam@135
|
110
|
|
cannam@135
|
111 interface RealmGateway(InternalRef, ExternalRef, InternalOwner, ExternalOwner) {
|
|
cannam@135
|
112 # Interface invoked when a SturdyRef is about to cross realms. The RPC system supports providing
|
|
cannam@135
|
113 # a RealmGateway as a callback hook when setting up RPC over some VatNetwork.
|
|
cannam@135
|
114
|
|
cannam@135
|
115 import @0 (cap :Persistent(ExternalRef, ExternalOwner),
|
|
cannam@135
|
116 params :Persistent(InternalRef, InternalOwner).SaveParams)
|
|
cannam@135
|
117 -> Persistent(InternalRef, InternalOwner).SaveResults;
|
|
cannam@135
|
118 # Given an external capability, save it and return an internal reference. Used when someone
|
|
cannam@135
|
119 # inside the realm tries to save a capability from outside the realm.
|
|
cannam@135
|
120
|
|
cannam@135
|
121 export @1 (cap :Persistent(InternalRef, InternalOwner),
|
|
cannam@135
|
122 params :Persistent(ExternalRef, ExternalOwner).SaveParams)
|
|
cannam@135
|
123 -> Persistent(ExternalRef, ExternalOwner).SaveResults;
|
|
cannam@135
|
124 # Given an internal capability, save it and return an external reference. Used when someone
|
|
cannam@135
|
125 # outside the realm tries to save a capability from inside the realm.
|
|
cannam@135
|
126 }
|
|
cannam@135
|
127
|
|
cannam@135
|
128 annotation persistent(interface, field) :Void;
|
|
cannam@135
|
129 # Apply this annotation to interfaces for objects that will always be persistent, instead of
|
|
cannam@135
|
130 # extending the Persistent capability, since the correct type parameters to Persistent depend on
|
|
cannam@135
|
131 # the realm, which is orthogonal to the interface type and therefore should not be defined
|
|
cannam@135
|
132 # along-side it.
|
|
cannam@135
|
133 #
|
|
cannam@135
|
134 # You may also apply this annotation to a capability-typed field which will always contain a
|
|
cannam@135
|
135 # persistent capability, but where the capability's interface itself is not already marked
|
|
cannam@135
|
136 # persistent.
|
|
cannam@135
|
137 #
|
|
cannam@135
|
138 # Note that absence of the $persistent annotation doesn't mean a capability of that type isn't
|
|
cannam@135
|
139 # persistent; it just means not *all* such capabilities are persistent.
|
