[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
David Hopwood
david.hopwood at industrial-designers.co.uk
Mon Sep 17 10:35:40 EDT 2007
Toby Murray wrote:
> Hi cap-talk,
>
> In my work on formalising authority, I've found it useful to strengthen
> the usual notion of POLA to arrive at a more general definition of what
> it means for a system to be 'secure'.
>
> The traditional definition of POLA says that
>
> "the authority of each object/subject/program/process/user/whatever
> should not exceed that needed for it to perform its function(s)."
>
> This is useful but doesn't admit notions such as "separation of duty"
> which need to be defined separately (because they appear orthogonal to
> the above definition).
>
> It also presumes there is some global administrator that can define the
> correct function(s) of each entity in the system.
Correct function does not have to be decided by an administrator.
> Instead, I've found that a better definition of what we might desire is
>
> "the authority of each object/subject/... should not exceed that which
> we trust it to wield."
I don't think that switching from "needed to perform its function" to
"which it is trusted to wield" is an improvement on the definition
of POLA. I think it's defining something else. A program can very well
satisfy POLA, and a particular user still does not trust it. A user's
choice not to trust something is entirely up to that user. They don't
have to justify their decision, and the decision doesn't even need to
have any rational basis -- it should be respected anyway (as far as
possible; if the component is in the system TCB then the user's only
recourse is not to use the system). So a particular user's trust in a
component is not an objective property of that component.
POLA, OTOH, should be defined relative to the intended function of a
component. This makes it a (somewhat) objective property of the component's
design. Yes, there may be disagreement on what the intended function
is, and to assess how well a given component satisfies POLA, we need to
resolve that disagreement. But the assessment does not depend on who
will trust the component and who won't.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list