[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[Toby Murray]

On Mon, 2007-09-17 at 10:21 -0700, David Wagner wrote:
> Toby Murray writes:
> >I think we need a definition of security that takes into account a
> >user's perceptions. I don't think POLA does this adequately in some
> >cases. 
> 
> POLA isn't intended to serve as a definition of security.  POLA is
> a design and implementation technique that can often be helpful in
> achieving security goals.  Of course, there are other techniques, too.
> Following even all known techniques does not guarantee security and is
> not a definition of what it means for a system to be secure.  We
> shouldn't conflate the techniques that we use to achieve our goals
> with the goals themselves.

Good point. I think I had indeed been conflating the two.

That said, I'd like to know why my stated definition is not useful as a
definition of what it means for a system to be secure. It has served me
well in a number of thought experiments so far. It also had the
advantage of being able to be formally defined:

Given some means to calculate the authority A_o of each object, o, in a
system, and given the authority we're willing to trust each object to
wield, A_o', the system is insecure if for some o, A_o \superset A_o'

In another message, David Wagner wrote:

> Toby Murray writes:
> >I'm trying to propose a criterion that can be used to
> >determine whether a system is secure from a particular stakeholder's
> >point of view.
> 
> POLA is not a definition of security; it is a means to an end.
> The same goes for your proposed principle.

Can you elaborate further on this? I'm trying to come up with a
definition of security that can be used when analysing models of systems
to determine whether they're insecure.

So far, this definition has been useful. I'm yet to be able to come up
with anything else that I can usefully formulate and apply.