[cap-talk] POLP v. POLA
toby.murray at dsto.defence.gov.au
Sun Oct 30 18:04:50 EST 2005
I agree completely with the spirit of Tyler's anaysis; however, I want
to pick up on a minor detail of terminology, since that's where this
I've always thought there were three separate, but closely related,
terms: privilege, permission and authority -- leading us to three
different principles: least privilege, least permission and least
From my understanding, least privilege was first recognisably defined
by Saltzer and Schroeder, as already discussed.
I saw least permission and least authority first clearly articulated in
"Paradigm Regained" by Mark Miller and Jonathan Shapiro, which from my
understanding, was done to try to pin down some precise meaning. With
least privilege, it isn't clear whether they're talking about de-jure
(in-law) or de-facto (in-fact) propagation of authority, where as with
least permission (which corresponds to the state of the system "in-law")
and least authority (state of the system "in-fact") the distinction is,
by definition, obvious..
Therefore, with Tyler's analysis, I agree completely, but would replace
the term "Least Privilege" with "Least Permission".
Unfortuantely, this creates the situation where using "Least Privilege"
is undesirable because it isn't clearly defined whether we are talking
about Least Permission or Least Authority. But of course it's almost
impossible to avoid using the term when first introducing the idea of
Least Authority, since Saltzer and Schroeder is so widely recognised.
I wonder whether there is some consensus out there, about whether people
intuitively understand "least privilege" as "least authority" or "least
permission". If so, this would help a great deal in removing this sort
of redundancy from the terminology. Is anyone aware, or has anyone seen
any evidence to suggest one way or the other?
Tyler Close wrote:
>On 10/29/05, Ian G <iang at systemics.com> wrote:
>>My question is this: is there any substantial difference
>>between this principle and POLA?
>The key difference between essays that speak in terms of POLP
>(Principle of least privilege) and POLA (Principle of least authority)
>is nicely captured by a quote from the Saltzer and Schroeder essay on
>the scope of their analysis:
>"The final model (only superficially explored) is of protected objects and
>protected subsystems, which allow arbitrary modes of sharing that are
>unanticipated by the system designer."
>POLA encompasses analysis of all the ways in which authority flows in
>designs composed of protected objects and protected subsystems. In
>general, a POLP analysis fails to capture some of these flows.
>Interestingly, there is an example of such a failure in the Saltzer
>and Schroeder essay. In the section discussing the ACL model, the
>"4. The question of "who may access this segment?" apparently is
>answered directly by examining the access control list in the access
>controller for the segment. The qualifier "apparently" applies because we
>have not yet postulated any mechanism for controlling who may modify access
>The above represents only a POLP analysis of the question. A POLA
>analysis would additionally determine who may learn the contents of
>the segment by sending a request to a principal that is directly
>authorized to read the segment, and so on, recursively.
>Informally, I also use the POLP vs POLA distinction as a shibboleth
>for distinguishing authors with a deeper understanding of the problem.
>For example, the above question posited by Saltzer and Schroeder is
>itself flawed. The question is not "who may access this segment", but
>"who is to be held accountable for accesses to this segment". The
>former question reflects a crucial misunderstanding of what it means
>to delegate access. Delegating access must not absolve the delegator
>of responsibility for the actions of the delegatee. If you only answer
>the question of who made the actual invocation, you misunderstand who
>is actually responsible for the consequences of the invocation. Once
>you understand that accountability is the key issue, you realize that
>the identity of the requestor is irrelevant and can only confuse the
>The web-calculus is the union of REST and capability-based security:
>Name your trusted sites to distinguish them from phishing sites.
>cap-talk mailing list
>cap-talk at mail.eros-os.org
Advanced Computer Capabilities Group
Information Networks Division
IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.
More information about the cap-talk