[cap-talk] POLP v. POLA

Toby Murray toby.murray at dsto.defence.gov.au
Sun Oct 30 18:04:50 EST 2005 

I agree completely with the spirit of Tyler's anaysis; however, I want 
to pick up on a minor detail of terminology, since that's where this 
question began.

I've always thought there were three separate, but closely related, 
terms: privilege, permission and authority -- leading us to three 
different principles: least privilege, least permission and least 
authority.

 From my understanding, least privilege was first recognisably defined 
by Saltzer and Schroeder, as already discussed.

I saw least permission and least authority first clearly articulated in 
"Paradigm Regained" by Mark Miller and Jonathan Shapiro, which from my 
understanding, was done to try to pin down some precise meaning. With 
least privilege, it isn't clear whether they're talking about de-jure 
(in-law) or de-facto (in-fact) propagation of authority, where as with 
least permission (which corresponds to the state of the system "in-law") 
and least authority (state of the system "in-fact") the distinction is, 
by definition, obvious..

Therefore, with Tyler's analysis, I agree completely, but would replace 
the term "Least Privilege" with "Least Permission".

Unfortuantely, this creates the situation where using "Least Privilege" 
is undesirable because it isn't clearly defined whether we are talking 
about Least Permission or Least Authority. But of course it's almost 
impossible to avoid using the term when first introducing the idea of 
Least Authority, since Saltzer and Schroeder is so widely recognised.

I wonder whether there is some consensus out there, about whether people 
intuitively understand "least privilege" as "least authority" or "least 
permission". If so, this would help a great deal in removing this sort 
of redundancy from the terminology. Is anyone aware, or has anyone seen 
any evidence to suggest one way or the other?

thanks,
Toby

Tyler Close wrote:

>On 10/29/05, Ian G <iang at systemics.com> wrote:
>  
>
>>My question is this:  is there any substantial difference
>>between this principle and POLA?
>>    
>>
>
>The key difference between essays that speak in terms of POLP
>(Principle of least privilege) and POLA (Principle of least authority)
>is nicely captured by a quote from the Saltzer and Schroeder essay on
>the scope of their analysis:
>
>"The final model (only superficially  explored) is of protected objects and
>protected subsystems, which  allow arbitrary modes of sharing that are
>unanticipated by the  system designer."
>
>POLA encompasses analysis of all the ways in which authority flows in
>designs composed of protected objects and protected subsystems. In
>general, a POLP analysis fails to capture some of these flows.
>
>Interestingly, there is an example of such a failure in the Saltzer
>and Schroeder essay. In the section discussing the ACL model, the
>authors write:
>
>"4. The question of "who may access this segment?"  apparently is
>answered directly by examining the  access control list in the access
>controller for the  segment. The qualifier "apparently" applies because we
>have not yet postulated any mechanism for controlling  who may modify access
>control lists.."
>
>The above represents only a POLP analysis of the question. A POLA
>analysis would additionally determine who may learn the contents of
>the segment by sending a request to a principal that is directly
>authorized to read the segment, and so on, recursively.
>
>Informally, I also use the POLP vs POLA distinction as a shibboleth
>for distinguishing authors with a deeper understanding of the problem.
>For example, the above question posited by Saltzer and Schroeder is
>itself flawed. The question is not "who may access this segment", but
>"who is to be held accountable for accesses to this segment".  The
>former question reflects a crucial misunderstanding of what it means
>to delegate access. Delegating access must not absolve the delegator
>of responsibility for the actions of the delegatee. If you only answer
>the question of who made the actual invocation, you misunderstand who
>is actually responsible for the consequences of the invocation. Once
>you understand that accountability is the key issue, you realize that
>the identity of the requestor is irrelevant and can only confuse the
>analysis.
>
>Tyler
>
>--
>The web-calculus is the union of REST and capability-based security:
>http://www.waterken.com/dev/Web/
>
>Name your trusted sites to distinguish them from phishing sites.
>https://addons.mozilla.org/extensions/moreinfo.php?id=957
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk
>  
>


-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list