[cap-talk] Lampson: Principle Of Least Privilege as damaging
Baldur Johannsson
zarutian+cap-talk at gmail.com
Mon Apr 7 00:07:48 CDT 2008
Þann 7.apríl 2008 skrifaði Pierre THIERRY <nowhere.man at levallois.eu.org>:
-snip-
> I suspect that Lamport here has a bias, in that the only systems he
> knows, for they are mostly the only ones you can see currently, are ACL
> systems. ACL systems are to security policies what state machines are to
> algorithms: a very limited vocabulary. In this regard, Ocaps truly are a
> programming language to express security policies. I think it was a
> point discussed in MarkM's thesis, that Ocaps enable the creation of
> security abstractions.
>
> In most mainstream systems that I know of, fine grained security indeed
> is mostly impossible to manage. In the limited domain of those ACL
> systems that are currently used, maybe Lamport is totally right. It may
> take a lot of wizardry and hard efforts to get POLP right with them.
I think reason why POLP is unworkable in ACL systems is that
designation and authorization graphs are separate and, as everyone who
handles databases
probably know, keeping two interdependent datasets in sync is very hard.
Were as in ocap system the two graphs are one and the same and
therefore (innuently deducted) the over-all system is simpler (less
complex).
Regarding the "stopgap" or "bailing" side of security:
As the phrack article "Smashing the stack for fun and profit" and
numerous other articles on code injection demonstrate, it is mostly
about Confusing deputies attacks.
Antivirus, safe inputs and intrusion detection systems are about
finding the unsafe data that confuse authority wielding programs to
treat it as code where that behaviour of the deputy was not intended.
With ocap based system such attack isnt so bad as it gives the cracker
limited authority but with (aptly named) eggshell security you (as the
sysop or sysowner) are pwned.
What is computer security about other than control of access to
resources, data and other components of the system?
Just my thoughts on this discussion.
-Baldur Jóhannsson
More information about the cap-talk
mailing list