[cap-talk] least authority gets some press

[Jed Donnelley]

At 01:28 PM 1/16/2007, David Wagner wrote:
>Jed writes:
> >The application writer knows
> >what privileges (permissions) are necessary for the application -
> >except of course those that need to be requested from the user.  To
> >deal effectively with this situation I believe applications need to
> >come packaged with a profile that indicates what initial privileges
> >they need to run with.  At installation time the user should be
> >notified of these needed privileges for approval.  At that
> >installation time the documentation can of course justify the needed
> >privileges.  Once installed the application initialization process
> >should grant the application the needed initial privileges when 
> it's started.
>
>Sounds nice in theory, but the usability of this is potentially
>problematic.
>
>First, many application writers are not very knowledgeable about security,
>and they might not be able to answer questions about what privileges their
>application needs.

Hmmm.  We're talking about for initializing here.  The application
starts running (on any system) and it starts exercising privileges.
This should be easy to check - just start it without privileges and
add them as needed one or a group at a time until it's fully initialized.

I just believe the above procedure should be gone through once
for the application by the application writer(s) and not again and\
again for every installation (installation time) and/or user (run time).

>Second, right now there's not a lot of incentive for
>application writers to ask for just what they need; it'd be too easy
>for a lazy application writer to just say "give me all privileges".
>(There's a reason that so many Windows apps seem to want to run with
>administrator privileges.)  Sure, we could imagine a market where users
>punish developers for asking for unnecessary privileges, but that's not
>the world we live in today, so before you invoke such an imaginary world,
>you'll have to explain how you plan to get there from here.

No matter how things are structured, whether permissions are asked
for at application installation time as I've suggested or later at run time,
you can have this situation where an application asks for all privileges.

At the installation time where I suggest, one hopes that the OS tools
support users (see below for privilege negotiation and approval) and tell
them that too many privileges or certain privileges (e.g. R/W access to
all a user's files plus network access) are too much and people should
not consider installing applications that ask for so much.  I believe that
would be disincentive enough.

>Third, and probably most seriously, I suspect that very few users are
>knowledgeable enough to make good decisions about what privileges an
>application should be granted.  If the app requests privilege X, is
>that a reasonable request that should be granted?  Most users won't be
>able to answer that question, and nor are they likely to want to think
>about it.  The user wants to get their work done, not mess around with
>these distractions.

That's a good point.  What I suggest in this area is that somebody
(e.g. microsoft, but hopefully some independent security group that
works cross platform) applies their software identity/licensing muscle in an
area like this and identifies approved applications and the permissions
that they should properly be granted on installation.  In that case the
determination of what's appropriate is worked out between the application
writers and the approval group and the approval of appropriate privileges can
be granted automatically at installation (md5 or certificated or the like).

For non-approved applications (which hopefully are still allowed), the
communication about what's needed and what those privileges are
just needs to be clear.  If I want that unapproved third party application,
then I should take the time to make sure that the privileges that it's
requesting are really what I need it to have and that I trust it with
those privileges.  To be safe I can always grant it no privileges
at initialization and then grant it whatever it seems to need and I want
it to have interactively.  This later mechanism is also available in any
case even for applications with approved initialization privileges.
Matches and children.  Still, such a situation would be *hugely*
better than what we have now (ambient user/admin authority with
no checking at installation or run time).

>For these reasons, I think we'd better be realistic about what we demand
>of programmers and users, and be wary of unfounded optimism.

After over 30 years of failing to make a dent in the POLA area, I hardly
think I can be accused of "unfounded optimism."  However, if you are
saying that the approach that I'm suggesting can't work technically
(vs. in marketing/political terms), then please explain where it appears
to you to fall down.

--Jed http://www.webstart.com/jed/