[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

Tue Sep 18 05:05:19 EDT 2007

On Mon, 2007-09-17 at 16:37 -0700, David Wagner wrote:
> Toby Murray writes:
> >Given some means to calculate the authority A_o of each object, o, in a
> >system, and given the authority we're willing to trust each object to
> >wield, A_o', the system is insecure if for some o, A_o \superset A_o'
> 
> "the authority we're willing to trust each object to wield" is not an
> objective criteria.  It cannot be measured.  It is not a yardstick that
> a software developer can use: it is not realistically measurable.  Users
> make trust decisions for all sorts of peculiar and subjective reasons.
> My sister might trust any software that comes in professional-looking
> packaging, my brother might trust anything at all, my mother might trust
> whatever her friends use, and my father might not trust any software.
> There is no one answer, and the answers may not be rational, and they
> are probably not a very useful basis for making engineering decisions.

I disagree. Suppose we have a set of events, E_o, each of which
represents some action that component o could possibly perform.

I expect that no matter who you ask in the above list, that they would
be surprised to learn that Microsoft Word has the power to sell their
goods on eBay. When Word is running and has a particular file open, I
expect that the user believes that Word ought to only have the authority
to perform events in E_o relating to the editing of that document.

I expect further that these user expectations translate into upper
bounds on trust. The user is willing to trust Word to perform only those
events in E_o related to editing the current document. 

People make rational trust decisions all of the time. It's not their
fault that current OSes don't respect them. 

> 
> The "we" in "we're willing to trust" is ambiguous.  To quote Tonto,
> who's we, kemo sabe?
> 
> Do you know anyone who sits down and decides how much they're willing to
> trust each object in a piece of complex software before deciding whether
> to install that software?

>   Users don't do that.  That'd be ridiculous.
> If you ask a user how much they're willing to trust each object, the
> most likely answer you'll get is probably "Huh?".

Absolutely. But I'm looking for a criterion that can be applied by
someone who is formally modelling the system in question and trying to
determine whether it is secure or not. I'm after a simple test that *I*
can apply to a formal model of a real system to reason about whether
that real system is secure.

> 
> Finally: Authority is just one aspect of security, it is not the
> whole forest.  I don't think that trying to define security in terms of
> authority is going to work.
> 
> Analyzing how much authority is granted to each object may well be a
> useful thing to do.  That doesn't mean it is the definition of what it
> means for a system to be secure, though.  Buckling my seat belt when I
> get in the car is a good idea, but that doesn't make it the definition
> of safety for cars.

No it might not be sound. However, I expect that a system containing
excess authority should be considered insecure.

That said, the parallels between my definition and Ping's actor ability
model, which is designed to reason about the security of systems in
general from the user's perspective, give me some hope that this
criterion is not so useless.

Some examples of insecurity and how they are covered by my test:

1. attacker breaches network of company X and steals credit card details
of customers

company X's system was insecure because the attacker, whom company X
didn't trust to be able to read the credit card details from the
network, had the authority to do so.

2. By running parallel sessions of Needham Schroeder Public Key
protocol, an attacker can cause authentication failure.

NS-PK was insecure because nobody trusts anyone to be able to cause
authentication failures in NS-PK protocol.

3. Burglar comes into my unlocked house.

I don't trust burglars to be able to enter my house.

(Note that if it were a family member coming into my unlocked house, I
wouldn't consider it a breach of security, since I trust them to do so.)

I expect that many, if not all, security breaches can be framed in terms
of this definition. That's why I find it useful.