[cap-talk] POLA API? 'IX/Windows API problem for POLA?

[Jed at Webstart]

At 11:38 PM 11/11/2005, David Wagner wrote:
>Rob J Meijer <rmeijer at xs4all.nl> writes:
> >This 'plenty of' may actualy be part of the problem. If it would be
> >possible for all these papers and implementations to go into the direction
> >of some form of POLA posix interface definition, than I think the main
> >stream system developers may be found willing and able to implement it.
> >But the problem is that I dont believe POLA to be specific enough to allow
> >a one size fits all posix standard API.
>
>POLA is a principle, not an API.  It is a guideline/heuristic for system
>design that is intended to be useful for many different kinds of systems.
>Asking for a common API for POLA like asking for a POSIX-blessed API for
>"be conservative in what you send, liberal in what you accept".

Hmmm.  I think there's a bit of meat related to the above that should 
be discussed.  For many of you this will be preaching to the choir, 
but I expect some of these observations aren't universally shared - 
even on this list.  Also I think perhaps it's worthwhile to hash out 
some of these big picture issues to come to a closer common understanding.

Firstly, POLA (and certainly POLP before it) is indeed a principle 
and not itself an API.

However (and I believe this to be an important however), APIs can 
lend themselves to POLA or can make POLA difficult and even make 
using POLA nearly impossible.

The 'IX (POSIX, Unix, ...) and Windows APIs fall into the category of 
making POLA nearly impossible to apply.  The difficulty is that all 
access control mechanisms in 'IX and Windows systems are based on 
'user's, uids.  It's uids that are in groups, that are owners, that 
processes run as, etc.  All access control mechanisms are based on 
the notion of a 'user'.  When a program executes a system call, for 
example trying to write to a file, the system decides whether to 
allow the access on the basis of the user's authority - which is what 
I believe the notion of "ambient authority" is that has often been 
discussed on this list.

If I'm about to start a program running (e.g. perhaps I find myself 
downloading a browser plugin to display some new multimedia format or 
maybe I received a program from a friend providing a humorous game or 
display), how do I apply POLA to the authority that program has while 
running under 'IX or Windows?  In the case of the plugin I might want 
it to have access to some configuration files and to it's input and 
output, but nothing more.  In the case of the game/display program I 
would want it to have access to muxed keyboard input and permission 
to write to a display window, but nothing more.  How do I do this on 
'IX or Windows systems where all the access control APIs are based on 
the notion of "user"?

Since I am personally the 'user' with the authority of at least my 
command interpreter software, some of my programs run as 
me.  However, in general to apply POLA I don't want programs I 
initiate to run as me as a 'user' in the 'IX/Windows sense.  So what 
do I do?  I believe that the answer is that under 'IX/Windows the 
APIs are so 'user' oriented (forks fork to a user, files are 
protected to users/groups of users, etc.) that there is no practical 
way to apply POLA.

Sure, one can work to build something like Plash for 'IX or Polaris 
for Windows where you try to use the minimal facilities that are 
there and then turn the access control paradigm on it's head to get 
something more like POLA.  As you see in both Plash and Polaris they 
create what amounts to an artificial 'user' with no permissions and 
then grant a program running as that user limited permissions based 
on POLA criteria.  However, this amounts to ignoring access control 
mechanisms provided by the native APIs and putting something else in 
their place using more primitive facilities.  Even once such a new 
mechanism is in place it finds it constantly fighting the native 
access control mechanisms.

So ... I argue that something like a standard for a POLA API is 
indeed needed.  In such an API one would see the equivalent of fork 
where the process would run simply as itself, not as any 'user'.  It 
could be initialized with some permissions when started and it would 
have the ability to communicate permissions to and from other 
processes during the course of it's execution in accord with POLA principles.

  In 'IX/Windows systems there aren't even any ways (APIs) for 
processes to communicate permissions in accord with POLA principles.

I view this as a problem.  Perhaps before addressing what to do about 
such a problem I should check to see if others on the list agree that 
the 'IX/Windows APIs are in fact a problem for POLA computing.

--Jed http://www.webstart.com/jed/