[cap-talk] POLP v. POLA
Jed at Webstart
donnelley1 at webstart.com
Fri Nov 4 14:58:38 EST 2005
I've been following the POLP v. POLA thread with interest but so far not with
much time to respond. I thought perhaps I might be able to contribute most
by making an effort to engage Dr. Saltzer on this topic. I wrote:
There has been considerable discussion over the last few years about the phrase
"Principle Of Least Privilege" and what many consider a more modern comparable
notion, the "Principle Of Least Authority" - e.g. from: "Paradigm
Mechanisms for Access Control" by Miller and Shapiro (a paper that I
"It is unclear whether Saltzer and Schroeder's Principle of Least
Privilege is best interpreted
as least permission or least authority. As we will see, there is an
between the two."
Recently there has been considerable discussion on this topic in a thread:
"POLP vs. POLA" on the "cap-talk" mailing list:
in this thread:
(e.g. in: http://eros.cs.jhu.edu/pipermail/cap-talk/2005-October/004065.html
you find this from Tyler Close:
POLA encompasses analysis of all the ways in which authority flows in
designs composed of protected objects and protected subsystems. In
general, a POLP analysis fails to capture some of these flows.
Interestingly, there is an example of such a failure in the Saltzer
and Schroeder essay. In the section discussing the ACL model, the
"4. The question of "who may access this segment?" apparently is
answered directly by examining the access control list in the access
controller for the segment. The qualifier "apparently" applies because we
have not yet postulated any mechanism for controlling who may modify access
The above represents only a POLP analysis of the question. A POLA
analysis would additionally determine who may learn the contents of
the segment by sending a request to a principal that is directly
authorized to read the segment, and so on, recursively.
Informally, I also use the POLP vs POLA distinction as a shibboleth
for distinguishing authors with a deeper understanding of the problem.
For example, the above question posited by Saltzer and Schroeder is
itself flawed. The question is not "who may access this segment", but
"who is to be held accountable for accesses to this segment". The
former question reflects a crucial misunderstanding of what it means
to delegate access.
The thread continues this month (November) in::
I just thought I would bring it to your attention in case you are
interested. If you
are interested feel free to channel any response through me or of
directly to the list if you like.
I'll post his reply with his permission in a separate message.
More information about the cap-talk