[cap-talk] Lampson: Principle Of Least Privilege as damaging

Jed Donnelley capability at webstart.com
Sun Apr 6 18:16:40 CDT 2008 

At 02:26 PM 4/6/2008, Fred Spiessens wrote:
>Hi all,
>
>I've read Lampson's depressing keynote too recently,

"read"?  Has it been transcribed to text somewhere?  I would
find that handy.  I've only found the audio and PDF charts:

http://www.usenix.org/events/sec05/tech/
The audio: http://www.usenix.org/events/sec05/tech/mp3/sec05_keynote_small.mp3
the charts: http://www.usenix.org/events/sec05/tech/lampson.pdf

>and it had the
>effect of narrowing my vision down to these possible choices:
>1. stop doing research on POLP and POLA (and maybe leave that to the
>real security experts, outside the academic domain)
>2. stop doing research on security
>3. keep on going anyway, without a short term perspective, just like
>before.

I find the above rather depressing.

>With a PhD on formalizing object capabilities, it was difficult to
>find a research position in mainstream security, and I did not find a
>suitable research project in a POLA or OCap related field.
>Capabilities are not (yet) frowned upon everywhere,

Yet?  Does that "yet" suggest that the frowning on capabilities
is increasing/spreading?

>but the overall
>impression seems to be that they are an unimportant and negligible
>part of safety research which is again a small part of security
>research.

1.  Why is POLA considered part of "safety" research?
2.  Why is it considered a "negligible" part of such research?

This "overall impression" is what I am most trying to resolve -
one way or another.  In this regard I very much appreciate:

At 01:35 PM 4/6/2008, Raoul Duke wrote:
>hi Jed,
>
>(Thanks for your non-flagging interest in sussing out where people are
>coming from, and why, and how it relates to what could/should be. It
>strikes me as a real attempt to be educated and to continue
>education.)

My perspective is necessarily very different from those with
more recent academic focuses in this area (e.g. FredS, MarkM,
DavidW, JonathanS - though even those four are coming from very
different places despite their recent interactions).  As DavidW
notes, I'm not as steeped in the general computer security
literature and so may find it helpful to ask others who are
more steeped for pointers to the "heat" in the area of
(or against) POLA.

At 02:26 PM 4/6/2008, Fred Spiessens wrote:
>My current research project ( http://www.esi.nl/short/poseidon/ ) is
>completely mainstream. I keep looking for ways to integrate object-
>capabilities into the project though, because I could not throw all
>that good stuff away even if I wanted to. Finding ways to combine the
>best in both approaches may be a way to raise interest and
>appreciation for object capabilities, trying the back door as the
>front door is closed.

It's that "front door is closed" that I'm most trying to
zero in on.  Why is that?  Is it appropriately closed
or should it be opened?  I'm naturally curious about
this topic, but it's also important for the Capability
Systems Workshop that I'm trying to organize.

When you say, above, "both approaches", I know the one
approach is the object-capability approach.  What is
the other?  Is it just non object-capability, is it
ACLs, is it the 'patching and bailing' approach that
Lampson refers to as "resiliency":

>Resiliency: When TCB Isn’t Perfect
>Mitigation: stop bugs from being tickled
>– Block known attacks and attack classes
>-- Anti-virus/spyware, intrusion detection
>– Take input only from sources believed good
>-- Red/green; network isolation. Inputs: code, web pages, ...
>Recovery: better yesterday’s data than no data
>– Restore from a (hopefully good) recent state
>Update: today’s bug fix installed today
>– Quickly fix the inevitable mistakes
>– As fast and automatically as possible
>-- Not just bugs, but broken crypto, compromised keys, ...

or perhaps something else?

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list