[cap-talk] Lampson: Principle Of Least Privilege as damaging

Sun Apr 6 17:21:26 CDT 2008

On Sun, April 6, 2008 22:14, Jed Donnelley wrote:
>
> Lampson makes the above statement (at 14:30 in the audio) in the
> context of this statement from Hoare (page 10 of his charts):
>
> The unavoidable price of reliability is simplicity. —Hoare
>
> He argues (rightly in my opinion) that complex policy configurations
> inevitably result in less security rather than in more.  This is
> exactly my problem with SELinux.  As per the most recent discussion
> with Jonathan, perhaps I'm wrong about this (as Lampson is as well)
> and perhaps with automated tools for adjusting policies a mechanism
> like SELinux can be made to make a positive contribution.

I am also a bit confused about his 'perfect security' statements
earlier on. From a risk management view (the context where he places it
in), perfect security is security that minimizes the projected longterm
costs, taking into account all known information about probabilities,
frequencies and costs of incident and cost of controls.
I'm not sure if he takes this same concept, and claims thar RA experts are
to expensive, or if he interprets 'perfect' as 'zero projected incidents',
what would be IMO something you should not expect someone at his level to
use anyway.

For the idea of fine-grained (access) controls being bad, I agree there
is some reality in that, but only for 'hand crafted' mandatory style
system level policies IMO.

I've tried in the past to create a framework (google for sipes and isecom
if you are interested) that would allow the results from statisticians with
a RA function to be pro-actively combined with incident response scenario's
in order to make some automated generated fine grained control policies that
would allow for better proportional incident response. Due to my
overconfidence in my human interaction skills combined with my complete lack
of experience with managing volunteer spare-time project members, this
project stranded only a few months after I completed the outlining document
and found a small group of volunteers eager to work on it. I tried
continuing it on my own, until I figured out  that it would take me about
two decades to complete it as a single person project.

There are two things I learned from this exercise were "dont start
open source project you can't complete all by yourself if you have
my people skils", and the second was that policy based fine grained
controls can if done right become way to big to manually create and
to manually adjust in a proportional way. This adjusting in a proportional
way without making mistakes is very important in case of incident
response.

To me this means two things:

* Don't ever hand-craft or hand-tune mandatory style policies.
* Make sure you have sufficient IR policies available.

I feel that when talking about hand crafted and hand tuned mandatory
style system level policies, than Lampson's arguments make perfect sense.
In any other context they would seem to have about he same amount of clue
as his strange statements on perfect security.

Rob