[cap-talk] POLP v. POLA

Jed at Webstart donnelley1 at webstart.com
Fri Nov 4 14:58:38 EST 2005


I've been following the POLP v. POLA thread with interest but so far not with
much time to respond.  I thought perhaps I might be able to contribute most
by making an effort to engage Dr. Saltzer on this topic.  I wrote:

Dr. Saltzer,

There has been considerable discussion over the last few years about the phrase
"Principle Of Least Privilege" and what many consider a more modern comparable
notion, the "Principle Of Least Authority" - e.g. from: "Paradigm 
Regained: Abstraction
Mechanisms for Access Control" by Miller and Shapiro (a paper that I 
recommend for
other reasons):

"It is unclear whether Saltzer and Schroeder's Principle of Least 
Privilege is best interpreted
as least permission or least authority. As we will see, there is an 
enormous difference
between the two."


Recently there has been considerable discussion on this topic in a thread:

"POLP vs. POLA" on the "cap-talk" mailing list:


in this thread:


(e.g. in: http://eros.cs.jhu.edu/pipermail/cap-talk/2005-October/004065.html

you find this from Tyler Close:

POLA encompasses analysis of all the ways in which authority flows in
designs composed of protected objects and protected subsystems. In
general, a POLP analysis fails to capture some of these flows.

Interestingly, there is an example of such a failure in the Saltzer
and Schroeder essay. In the section discussing the ACL model, the
authors write:

"4. The question of "who may access this segment?"  apparently is
answered directly by examining the  access control list in the access
controller for the  segment. The qualifier "apparently" applies because we
have not yet postulated any mechanism for controlling  who may modify access
control lists.."

The above represents only a POLP analysis of the question. A POLA
analysis would additionally determine who may learn the contents of
the segment by sending a request to a principal that is directly
authorized to read the segment, and so on, recursively.

Informally, I also use the POLP vs POLA distinction as a shibboleth
for distinguishing authors with a deeper understanding of the problem.
For example, the above question posited by Saltzer and Schroeder is
itself flawed. The question is not "who may access this segment", but
"who is to be held accountable for accesses to this segment".  The
former question reflects a crucial misunderstanding of what it means
to delegate access.

in: http://eros.cs.jhu.edu/pipermail/cap-talk/2005-October/004065.html

The thread continues this month (November) in::


I just thought I would bring it to your attention in case you are 
interested.  If you
are interested feel free to channel any response through me or of 
course comment
directly to the list if you like.

I'll post his reply with his permission in a separate message.

--Jed http://www.webstart.com/jed/ 

More information about the cap-talk mailing list