[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[Jed Donnelley]

At 03:04 AM 9/17/2007, Toby Murray wrote:
>Hi cap-talk,
>
>In my work on formalising authority, I've found it useful to strengthen
>the usual notion of POLA to arrive at a more general definition of what
>it means for a system to be 'secure'.
>
>The traditional definition of POLA says that
>
>"the authority of each object/subject/program/process/user/whatever
>should not exceed that needed for it to perform its function(s)."
>
>This is useful but doesn't admit notions such as "separation of duty"
>which need to be defined separately (because they appear orthogonal to
>the above definition).
>
>It also presumes there is some global administrator that can define the
>correct function(s) of each entity in the system.

Hmmm.  It may be that I'm in some ways I'm convolving the POLA and
capability notions, but:

I've always assumed with a definition like above for POLA that
the 'needed for it to perform its function(s)' assumed a communication
boundary between mutually suspicious processes (domains, objects).

With that assumption there is certainly no need for any sort of
'global administrator' (I'm reminded of the message I just sent
about the GentleSecurity 'application database' and/or the SELinux
controls), but rather the access control focuses on a single
communication interface between two entities, a subject (the
sender) and an object (the receiver).  In that regard the sender
sends (communicates) the minimum authority to get the needed
function (requested) performed.

In this context I believe the notion of POLA is perfectly
clear.  It's only when one begins to try to view access control
from a global context (e.g. consider things from a God-like
viewpoint) that things start to get (rightly in my view)
awkward - mostly due to the difficulties of getting globally
relevant information to locally acting entities.

>Instead, I've found that a better definition of what we might desire is
>
>"the authority of each object/subject/... should not exceed that which
>we trust it to wield."
>
>In the case where "we" is a global system administrator and all entities
>are trusted to perform all of their functions, this collapses to
>traditional POLA. But it is also more general than POLA.
>
>It allows security to be defined separately from multiple points of
>view, for each of the stakeholders/actors in a system.

As I hope you see from the above, I already regard POLA as
defined separately for the viewpoint of every communication
boundary between objects.

>It also naturally admits separation of duty:
>
>We might have an accounting package whose functions include writing and
>approving purchase orders, for example. A running instance of that
>package might be trusted to perform the former but not the latter (and
>vice versa) in order to prevent it from approving its own purchase
>orders.

I believe that when one considers POLA only in the context of
communication between mutually suspicious entities then this
'separation of duty' is also a natural consequence.

>I've found this definition to be a useful generalisation of POLA. For
>example, under this definition excess authority is then defined as any
>authority that a subject is not trusted to have (rather than any
>authority that a subject doesn't require to perform its function(s)).

Perhaps I'm just being a bit slow to pick up on what you're suggesting
Toby, but from my perspective POLA is simply an obvious guideline
that suggests that there is no need to trust any object with more
authority than is needed to perform any request (function) that
is being asked of it across a communication (invocation) boundary.

Your use of the term 'subject' above is a bit confusing to me.  I
find myself being drawn to and trying to avoid contrasting the
English 'subject' and 'direct object' as parts of a sentence.  Of
course that 'direct object' can be shortened to 'object' and create
all sorts of confusion in the OO IT world.

>I'd be curious to get the feelings of others on this list as to its
>utility.

I guess I could summarize my comments above as "I don't get it".
I also feel that I'm more in line with the comments that David
Hopwood has made so far, but I won't yet comment indirectly yet
on those or Jonathan's comments so I can see how you respond to
my direct thoughts above.

I will ask with regard to:

At 08:12 AM 9/17/2007, Toby Murray wrote:
>I think I see where the disagreement comes from. I'm not trying to
>propose a design goal. POLA might well be the strongest design goal one
>can hope for. I'm trying to propose a criterion that can be used to
>determine whether a system is secure from a particular stakeholder's
>point of view.

what you mean by "stakeholder"?  Is a 'stakeholder' an active
entity (object, process) in the system or is a 'stakeholder' some
external evaluator (e.g. human) of a system?  I think this
distinction between entities acting within the system vs. entities
outside the system that may be regarding the system at a meta level
might be important for what your are focusing on.  Entities within
the system can only operate across communication boundaries.
Entities outside the system can't operate in the system at
all and can only regard the system from the viewpoint of criteria
that they impose on the communicating entities.

--Jed  http://www.webstart.com/jed-signature.html