[cap-talk] Authority is always potential (was: Re: Reinterpreting POLA...)

Thu Sep 20 04:04:38 EDT 2007

On Wed, 2007-09-19 at 18:36 -0700, Mark Miller wrote:
> First, I must admit I've only been skimming this thread, so my
> apologies if my remarks are redundant, irrelevant, or already refuted.
> But from the skimming I've done, it seems to me we keep dancing around
> a distinction that, IIUC, Fred got right in his thesis.
> 
> Authority is about causality. Causality is about counter-factuals,
> i.e., reasoning over sets of possible worlds consistent with one's
> partial knowledge. If you have full knowledge of an actual system,
> including the actual behavior of all the objects in the system under
> all conditions, then causality and authority are meaningless in
> attempting to describe this system. (To the creatures simulating our
> universe, "I" didn't cause this email message to be sent. The actual
> universe is the only possible universe, and the initial conditions of
> the universe already pre-determined that my hand would move to press
> the send button. It couldn't be any other way.)

I don't see how this is consistent with the confused deputy scenario.
(Alice is a user who invokes Carol, a compiler, supplying the name of
"Bill" to cause Carol to overwrite her billing file.)

Now suppose we *know* that Alice will always invoke Carol so, we can't
reasonably conclude that she doesn't have the authority to overwrite
Bill. I can't see how causation is ever irrelevant in this situation.

> 
> Fred's thesis distinguishes relied-upon objects from non-relied-upon
> objects. For a given system and a given stakeholder, that stakeholder
> will rely upon some objects to constrain the behavior of other objects
> they don't rely upon. The stakeholder's security analysis depends on
> modeling the behavior of their relied upon objects, i.e., of the
> objects whose behavior they rely on to be within the model of behavior
> they construct. For these objects, one does not speak of the authority
> they have, and one does not need to. The stakeholder cares to know a
> bound on the authority non-relied upon objects may come to possess.
> These are exactly the objects whose behavior the stakeholder assumes
> himself ignorant of. Any possible behavior, within the constraints of
> the other relied upon behaviors, is within the set of universes this
> stakeholder considers possible. The stakeholder therefore cares what
> authority their relied upon objects *provide to* non-relied upon
> objects.
> 
> Of course, one should also worry about whether one's models of relied
> upon objects are correct. Within a system such as Fred's, one can ask,
> for each relied upon object, what if we considered this a non-relied
> upon object? What's the worst that it could do? I would say that the
> answer tells us how much authority that object has. But to make this
> answer meaningful, I had to change the question.

That all seems reasonable and is the approach I've taken in my analyses
so far.