[cap-talk] POLA API? 'IX/Windows API problem for POLA?
Jed at Webstart
donnelley1 at webstart.com
Mon Nov 14 18:50:32 EST 2005
At 11:38 PM 11/11/2005, David Wagner wrote:
>Rob J Meijer <rmeijer at xs4all.nl> writes:
> >This 'plenty of' may actualy be part of the problem. If it would be
> >possible for all these papers and implementations to go into the direction
> >of some form of POLA posix interface definition, than I think the main
> >stream system developers may be found willing and able to implement it.
> >But the problem is that I dont believe POLA to be specific enough to allow
> >a one size fits all posix standard API.
>POLA is a principle, not an API. It is a guideline/heuristic for system
>design that is intended to be useful for many different kinds of systems.
>Asking for a common API for POLA like asking for a POSIX-blessed API for
>"be conservative in what you send, liberal in what you accept".
Hmmm. I think there's a bit of meat related to the above that should
be discussed. For many of you this will be preaching to the choir,
but I expect some of these observations aren't universally shared -
even on this list. Also I think perhaps it's worthwhile to hash out
some of these big picture issues to come to a closer common understanding.
Firstly, POLA (and certainly POLP before it) is indeed a principle
and not itself an API.
However (and I believe this to be an important however), APIs can
lend themselves to POLA or can make POLA difficult and even make
using POLA nearly impossible.
The 'IX (POSIX, Unix, ...) and Windows APIs fall into the category of
making POLA nearly impossible to apply. The difficulty is that all
access control mechanisms in 'IX and Windows systems are based on
'user's, uids. It's uids that are in groups, that are owners, that
processes run as, etc. All access control mechanisms are based on
the notion of a 'user'. When a program executes a system call, for
example trying to write to a file, the system decides whether to
allow the access on the basis of the user's authority - which is what
I believe the notion of "ambient authority" is that has often been
discussed on this list.
If I'm about to start a program running (e.g. perhaps I find myself
downloading a browser plugin to display some new multimedia format or
maybe I received a program from a friend providing a humorous game or
display), how do I apply POLA to the authority that program has while
running under 'IX or Windows? In the case of the plugin I might want
it to have access to some configuration files and to it's input and
output, but nothing more. In the case of the game/display program I
would want it to have access to muxed keyboard input and permission
to write to a display window, but nothing more. How do I do this on
'IX or Windows systems where all the access control APIs are based on
the notion of "user"?
Since I am personally the 'user' with the authority of at least my
command interpreter software, some of my programs run as
me. However, in general to apply POLA I don't want programs I
initiate to run as me as a 'user' in the 'IX/Windows sense. So what
do I do? I believe that the answer is that under 'IX/Windows the
APIs are so 'user' oriented (forks fork to a user, files are
protected to users/groups of users, etc.) that there is no practical
way to apply POLA.
Sure, one can work to build something like Plash for 'IX or Polaris
for Windows where you try to use the minimal facilities that are
there and then turn the access control paradigm on it's head to get
something more like POLA. As you see in both Plash and Polaris they
create what amounts to an artificial 'user' with no permissions and
then grant a program running as that user limited permissions based
on POLA criteria. However, this amounts to ignoring access control
mechanisms provided by the native APIs and putting something else in
their place using more primitive facilities. Even once such a new
mechanism is in place it finds it constantly fighting the native
access control mechanisms.
So ... I argue that something like a standard for a POLA API is
indeed needed. In such an API one would see the equivalent of fork
where the process would run simply as itself, not as any 'user'. It
could be initialized with some permissions when started and it would
have the ability to communicate permissions to and from other
processes during the course of it's execution in accord with POLA principles.
In 'IX/Windows systems there aren't even any ways (APIs) for
processes to communicate permissions in accord with POLA principles.
I view this as a problem. Perhaps before addressing what to do about
such a problem I should check to see if others on the list agree that
the 'IX/Windows APIs are in fact a problem for POLA computing.
More information about the cap-talk