[cap-talk] least authority gets some press

Jed Donnelley capability at webstart.com
Wed Jan 17 18:16:03 CST 2007 

At 11:39 AM 1/17/2007, David Wagner wrote:
>Jed and David, I mostly agree with you about least privilege and
>installing applications.  I think you're right that there are benefits
>to having application writers declare what privileges they need.  The
>application developers will need to be educated about this; figuring
>out what privileges the app will need isn't quite as trivial as you
>have made it out to be (just read some of the literature on getting
>Microsoft apps to run without Administrator privilege; there is a lot
>of experience to suggest that it's a bigger chore than your notes
>acknowledge; but it's doable).

There's a huge difference in the effort required to recognize and deal
with fine grained permissions (specific capabilities) vs. a multi-faceted
bundled "privilege" like "Administrator privilege" in Microsoft systems.  Such
a large bundled permission isn't amenable to the one by one approach
to determining which permissions are needed by an application.  Instead
one is faced with the fact that the bundled privilege is obviously
needed (the application doesn't work without it) and one is faced
with the problem of finding out in more detail just what aspects
(calls) of the bundled privilege are in fact needed.  Even with the
discovery of which calls are needed, one is faced with the impossible
situation that the privilege is all or nothing.  Eliminating specific uses
of aspects of the privilege don't solve the problem of needing it until
ALL such uses are eliminated.  I believe it's this bundled aspect of
privilege analysis that becomes non trivial in systems like MS Windows
or Unix.

>My fundamental disagreement is with the idea that at installation time the
>user should be notified of what privileges are needed.  I think that's not
>usable for non-power users.  I'm more persuaded by the alternative the
>two of you outlined.  For instance, one model that I can imagine might
>be workable would be for the distributions who aggregate applications
>to have teams whose job is to review the app's declarations of what
>privileges they need, and push back if the app's requested privilege
>level is exorbitant.  However, I do have to insist on one point: this
>is not just a technical problem.  There needs to be some incentive for
>application writers to spend the time and effort needed to build their
>app in a least-privilege friendly way, and to figure out exactly what
>privileges their app needs and to include that in the declaration.
>If the incentives aren't adequate, then this effort will fail.  This
>approach requires the cooperation of application writers, so application
>writers will have to want to cooperate.

Of course.  The incentive is sales.  Something like the "Good Security
Seal of Approval".

>My other point is that you should be careful not to leave the impression
>that "all you have to do is X and it's easy".  This would be a significant
>undertaking -- especially for legacy code.  It won't be cheap.

and it will be gradual.  The important thing from my perspective is to
get the basic mechanisms into place.  Again, however, I've been working
on this issue for some 30 years (as have some others) with no noticeable
progress, so my expectations aren't anywhere nearly as high as my hopes.

>As pretty
>much everyone who has tried to do this has discovered (including
>Microsoft, SELinux, etc.), retrofitting least privilege onto an existing
>code base requires pretty significant resources.

As I argued above and elsewhere, those examples aren't applicable
to any effort to do it POLA with capabilities.  SELinux in my opinion
is absolute and utter #$@&$%#  (I won't say it for the Web), but you
have my opinion.  The base model is just not workable.  I notice nobody
on the list has yet come to the defense of SELinux:

http://www.eros-os.org/pipermail/cap-talk/2007-January/007135.html

>That's why I think
>that the incentives and the establishment of a positive feedback loop
>are probably the biggest challenges here, not the technical issues.

I don't believe the incentives or the positive feedback loop can be developed
without the appropriate underlying technical essentials.  I believe one such
technical essential is something like the fine grained POLA model of computing
(lacking any demonstration of an alternative).

It's clear to me that no ambient authority model like SELinux (even if
"domains" and "roles" rather than users) will suffice.  To work a model
must provide programs (and thus the application programmers and users)
with privileges at the level where meaningful objects (e.g. individual
files) are made available to the applications.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list