[cap-talk] Any hope in RSA 2008?

Jed Donnelley capability at webstart.com
Sun Apr 6 16:37:33 CDT 2008 

At 10:08 PM 4/4/2008, Raoul Duke wrote:
> >  > perhaps the Titanic might also help as a story which says "even those
> >  > people who live and breathe POLA are going to find new issues which
> >  > have to be resolved; nothing is perfect...
> >
> >  I guess I don't think so. Titanic was the *appearance* of POLA, not the
> >  reality.

>I see what you mean. However, to try to play devil's advocate for a
>moment, I'm guessing that there will be at least one or two tricky
>bugs or thinkos in any security system. Even with proofs you have to
>go back to Knuth's admonition about only having proven it correct ;-).
>So when you might say "this is POLA" maybe you are really saying "this
>is something akin to real perfect POLA and gosh i'm sorry about the
>zero day exploit those folks in Russia found". Just like the Titanic,
>things can be darned obvious in retrospect. (But I'm just a pessimist
>who really doesn't know much of anything about POLA.)

My position on POLA is that even with all other things being
equally vulnerable (domain boundaries, "zero day exploit"s, etc.)
POLA is still hugely better than only lesser (e.g. two)
domain separation.  In all cases you must depend on the
integrity of your domain separation.  With POLA, after you
get your domain separation working, then you get much
greater mileage out of it since there is so little
authority in any given domain.  Even with a "hole" that
lets a Trojan horse into a domain, the damage is minimized.
You don't take down the whole ship.

An additional benefit with POLA is that the exposure
(attack surface) for breaking a domain boundary is also
minimized.  Even if the domain separation is vulnerable
to some exploit, the interface that makes that exploit
available may not be visible to a program running in
a POLA minimized domain.

It seems to me awfully difficult to argue against
POLA.  The only possible argument I think is that it
costs too much - either in complexity or performance.
<Lampson's argument>
I think the complexity argument is exposed as weak
with the capability paradigm in that all you are
really doing is using conservative parameter passing.
This ties into my discussion of Lampson's views (see
the Lampson: POLP as damaging thread).

That leaves performance.  This is a legitimate concern
that I think can only really be tested with measurements.
Using language enforced domain separation can reduce
the cost of domain changes - perhaps nearly to the
level of subroutine calls?  Domain changes can be
heavily optimized in both software and hardware.  In
the end it seems that there has to be a cost/performance
trade-off made in architecting any system.  I believe
that reliability and security are such large problems
in many systems today and that performance issues are
often of lesser importance.  Consequently I believe
we would be better served by enforcing more domain
separation as long as it doesn't come at the cost
of complexity that will result in less reliability
and security.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list