[cap-talk] DJB on Least Privilege

Toby Murray toby.murray at comlab.ox.ac.uk
Sat Nov 3 12:05:18 EDT 2007 

An interesting paper has appeared from Daniel Bernstein: "Some thoughts
on security after ten years of qmail".

http://cr.yp.to/qmail/qmailsec-20071101.pdf

Lots of good insights. Some really good contradictions too that point
directly to the utility of the capability-security paradigm, which is
why I'm  mentioning it here.

He lists six principles of security, three that he believes have worked
well and thee that he regards as a distraction from building secure
systems.

One of those that has worked well has been to minimise the amount of
trusted code.  

>    The third answer is to reduce the amount of trusted code 
> in the computer system. We can architect computer systems
> to place most of the code into untrusted prisons. “Untrusted”
> means that code in these prisons—no matter what the code
> does, no matter how badly it behaves, no matter how many
> bugs it has—cannot violate the user’s security requirements

Surprisingly, he later asserts that trying to achieve least privilege
has been one of the distracting efforts in building secure systems.

> Many additional "security" efforts are applications of the "principle
> of least privilege".
> ...
> These "security" efforts work as follows. We observe that program P
> has no legitimate need to access operating-system resource R. We then
> use (and possibly extend) operating system control to prevent P from
> accessing R.

Of course, what he's criticising here is not least privilege, but the
difficulty of trying to achieve it in systems that do not unify
designation and permission. Least privilege is what he's arguing for
above when talking about putting untrusted code into prisons of course.

THe seeming contradiction is resolved by recognising that the right (and
only practical way, as history has demonstrated) of implementing least
privilege is to first revoke all privileges and add only those that are
needed, in accordance with what the application knows about. These steps
are automatically performed for you when your software is implemented
and run on a capability-based architecture, of course.

Cheers

Toby

More information about the cap-talk mailing list