[cap-talk] "Immutable Law" #1 is alive and well at Microsoft

Fri Oct 5 00:06:29 EDT 2007

On 10/4/2007 4:20 PM, Ka-Ping Yee wrote:
> Microsoft's "threat" [1] modelling process made Slashdot a few days ago:
> 
>     http://it.slashdot.org/article.pl?sid=07/10/01/1556258
> 
> Larry Osterman, the author of the cited article series, cites the old
> "Immutable Law #1" as a reason to dismiss a category of threats:
> 
>     http://blogs.msdn.com/larryosterman/archive/2007/09/21/threat-modeling-again-threat-modeling-rules-of-thumb.aspx

Of course it is qualified somewhat in that he restricts it
to code "running at the same privilege level".  Still, the
fact that he (and generally the world) thinks that privileges
come in "level"s (I'm taken back to the Multics days...) and
not as distinct entities I do think is worth fighting for.

> Is this a meme worth continuing to fight?

Every time I've brought it up (e.g. when we made our Horton
presentation for the Usenix Security conference and some
times on this very list) I've been told that this Immutable
Law #1 is old and outdated stuff that nobody still takes
seriously - even though it is still posted on the Microsoft
site.  I'm told 'people' really know this "law" only applies
to very restricted circumstances (e.g. MS OS).  I don't agree
with this viewpoint.  I believe most people - even most
computer professionals - believe this "Law" is universal
and, as Microsoft says, "immutable."

> And if so, how should we fight it?

I say by getting it out there in talks and papers and
disputing it every chance we get.  Make sure that the
world knows that this "law" depends on the underlying
mechanisms for granting privileges to running programs.
If the mechanisms are ID based such as with ACLs then
this law applies.  If the mechanisms are capability
based then this #1 "Law" doesn't apply:

Break the #1 "Law"!  Use capability communication
for authorizations!!

Of course there are some environments where this
is old news, but I believe such environments are
still a rarity.  Slashdot isn't one of them.  We
interact in a rather rarefied environment.  Let's
not make the mistake of thinking much of the
computer community shares our views.

Whether that particular thread is worth using
as a forum for this idea I'm not sure.  Once
started, of course, any such disputation can take
on a life of its own and chew up considerable
time.  Personally I think published works are
better for such a purpose.  I feel we missed an
opportunity in the Horton paper, but you saw the
discussion on this list and in private where I
was out numbered.  I expect if I was the primary
author of the Horton paper the #1 "Law" would
still be in there as a widely believed falsity.

Of course the "Law" applies to general Windows, Mac,
and Unix users.  Just not to CapDesk, Plash, Polaris,
and the like users (not to mention the historical
capability systems).

--Jed  http://www.webstart.com/jed/