[cap-talk] Lampson: Principle Of Least Privilege as damaging

Jed Donnelley capability at webstart.com
Sun Apr 6 16:33:54 CDT 2008 

At 01:29 PM 4/6/2008, David-Sarah Hopwood wrote:
>Jed Donnelley wrote:
> > cap-talk,
> >
> > I decided it was worthwhile to go back through Lampson's keynote from
> > Usenix 05 and find where and in what context he presented his argument
> > against POLP:
> >
> > Lampson:
> > "I think, for example, that the Principle Of Least Privilege has done an
> > enormous amount of damage to security because what it encourages
> > you to do is to make everything fine grain and work out all the
> > dependencies very carefully and it's too complicated.
>
>Since no mainstream system has put significant effort into trying to
>follow the Principle of Least Privilege, I don't see how doing so can
>have been been the cause of "an enormous amount of damage to security".

I take from the above that you didn't listen to Lampson's keynote talk.

http://www.usenix.org/events/sec05/tech/
The audio: http://www.usenix.org/events/sec05/tech/mp3/sec05_keynote_small.mp3
the charts: http://www.usenix.org/events/sec05/tech/lampson.pdf

I'll mention again that I think it would be worth your time.   Beyond
that, all I can do is try to state my naturally differently biased overview.
As I've noted I disagree strongly with his argument.

His argument I believe amounts to this:

1.  He agrees with:

The unavoidable price of reliability is simplicity. ­Hoare

2.  To have security one must have reliability.
Therefore to have security one must have simplicity.

3.  If you compare two systems that are otherwise similar, but in
the one POLA has been added (by specifying what all the
authority relationships should be), then the one with POLA
added is inevitably more complex (less simple) and therefore
actually LESS secure.  He argues that systems with POLA
are *much* more complex and therefore less reliable and
less secure.

As I've noted, I believe this criticism can be accurately
applied to SELinux (though whether the argument follows to
its logical conclusion I'm not sure after my discussion
with Jonathan).  SELinux is such an "add-on" that applies
additional restrictions by policy.  If you listen to
Lampson's talk you will hear that he bemoans the lack of
security in defense systems and attributes that lack directly
to the influence of the National Security Agency and their
efforts to add such policy complexity (e.g. SELinux).

I believe the fundamental flaw in Lampson's reasoning
is that he doesn't acknowledge the potential to "piggyback"
POLA on what is already appropriate, necessary, and even
simplifying parameter passing for the purposes of
naming/designation in modular systems.

If POLA (POLP) isn't added on by necessarily complex
additional policy configurations (as it surely is with
SELinux), but is instead 'just' integrated into what
is already a modular system with parameter passing
for naming/designation by 'simply' enforcing domain
boundaries between the modules (otherwise invisible)
and by including authority with the passed parameters,
then the system is no more complex, but it can be
much more reliable and secure.

Of course we know that systems that aren't designed
with authority communicated by parameter passing as
their underlying basis for delegation often have
many obscure (e.g. "global" or public or ...) means
for sharing authority that end up causing problems
if one does try to enforce domain separation and
communication only by delegation of authority by
parameter passing.

I had an interesting discussion recently with Marc
Stiegler where he described some aspects of the
process that he goes through to "tame" a programming
language library (Joe-E, Caja, ...).  By this I take
him to mean he eliminates any need for authority
that is not explicitly delegated as a parameter
and he changes the interfaces to add any such needed
explicit delegation of authority as a parameter.

One can still argue (I'm not sure if Lampson
would so argue) that such a "tamed" language library
is necessarily more complex than the original
library interface - and therefore less reliable
and less secure.

I can only say that from my experience such is
not the case.  When delegation for authority is
a part and parcel of parameter passing for naming/
designation then I believe the resulting systems
can be (and generally are) both as simple and much
more reliable and secure.  This is my long term
'hope' for the future that goes beyond patching
and bailing - which, as many have noted, doesn't
seem to be improving our computer security
situation.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list