Determining whether online users are authorized to access
digital objects is central to preserving privacy. This paper presents the design, implementation, and deployment
of Zanzibar, a global system for storing and evaluating access control lists. Zanzibar provides a uniform data model
and configuration language for expressing a wide range of
access control policies from hundreds of client services at
Google, including Calendar, Cloud, Drive, Maps, Photos,
and YouTube. Its authorization decisions respect causal ordering of user actions and thus provide external consistency
amid changes to access control lists and object contents.
Zanzibar scales to trillions of access control lists and millions
of authorization requests per second to support services used
by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater
than 99.999% over 3 years of production use
Abstract—Fallback authentication, the process of recovering
access to an account if the primary authenticator is forgotten
or lost, is of significant importance in real-world applications.
A variety of mechanisms are deployed, ranging from secondary
channels (such as email and SMS), over personal knowledge
questions (such as the “mother’s maiden name”) to social authentication (such as vouching-based approaches). One central
difference with primary authentication is that the elapsed time
between enrollment and authentication can be much longer,
typically in the range of years. However, few of the mechanisms
used today have been studied over such long time-spans, making
claims about their usability difficult to generalize to real-world
applications. Additionally, most past studies have considered one
or two mechanisms only, and deriving a meaningful comparison
of a relevant number of mechanisms from the individual datapoints is not easy. In this work in progress paper, we report on the
design of a usability study that we will use to study the usability
of authentication mechanisms over a more realistic time-frame of
up to 18 months, and will provide a fair comparison of the four
most widely used fallback authentication schemes. We present
results of a pre-study with 74 participants that ran over 4 weeks
and indicates that schemes based on email and SMS are more
usable. Mechanisms based on designated trustees and personal
knowledge questions, on the other hand, fall short, both in terms
of convenience and efficiency.
Object capabilities are a technique for fine-grained
privilege separation in programming languages and systems,
with important applications in security. However, current formal characterisations do not fully capture capability-safety of
a programming language and are not sufficient for verifying
typical applications. Using state-of-the-art techniques from
programming languages research, we define a logical relation
capability-safety. The relation is powerful enough to reason
about typical capability patterns and supports evolvable invariants on shared data structures, capabilities with restricted
authority over them and isolated components with restricted
communication channels. We use a novel notion of effect
parametricity for deriving properties about effects. Our results
imply memory access bounds that have previously been used
to characterise capability-safety.
Secure authentication and authorization within Facebook’s infrastructure play important
roles in protecting people using Facebook’s services. Enforcing security while maintaining a
flexible and performant infrastructure can be challenging at Facebook’s scale, especially in the
presence of varying layers of trust among our servers. Providing authentication and encryption
on a per-connection basis is certainly necessary, but also insufficient for securing more complex
flows involving multiple services or intermediaries at lower levels of trust.
To handle these more complicated scenarios, we have developed two token-based mechanisms
for authentication. The first type is based on certificates and allows for flexible verification due
to its public-key nature. The second type, known as “crypto auth tokens”, is symmetric-key
based, and hence more restrictive, but also much more scalable to a high volume of requests.
Crypto auth tokens rely on pseudorandom functions to generate independently-distributed keys
for distinct identities.
Finally, we provide (mock) examples which illustrate how both of our token primitives can be
used to authenticate real-world flows within our infrastructure, and how a token-based approach
to authentication can be used to handle security more broadly in other infrastructures which
have strict performance requirements and where relying on TLS alone is not enough.
We study some of the concepts, protocols, and algorithms for access control
in distributed systems, from a logical perspective. We account for how a
principal may come to believe that another principal is making a request,
either on his own or on someone else’s behalf. We also provide a logical
language for access control lists, and theories for deciding whether requests
should be granted.