[cap-talk] Long live POLA! (was: Re: Lampson: Principle Of Least Privilege as damaging)

Jed Donnelley jed at nersc.gov
Mon Apr 7 14:28:37 CDT 2008 

On 4/7/2008 9:47 AM, Dean Tribble wrote:
> On Sun, Apr 6, 2008 at 1:14 PM, Jed Donnelley <capability at webstart.com> wrote:
>>  Lampson:
>>  "I think, for example, that the Principle Of Least Privilege has done an
>>  enormous amount of damage to security because what it encourages
>>  you to do is to make everything fine grain and work out all the
>>  dependencies very carefully and it's too complicated.  You can't keep
>>  track of it.  You're bound to mess it up.  Even if you get it right today
>>  it will be wrong three months from now.  Nobody will have the patience
>>  to ever look at it again because there's just too much of it.  So I say
>>  absolutely not least privilege, absolutely not fine grain protection.
>>  Everything should be as course grain as possible because otherwise you
>>  won't be able to administer it.  That's a very unpopular position with
>>  most people.  I think there's a lot of empirical evidence that tells
>>  us now that it's right."
> 
> I really dislike straw men that presume to demonstrate a negative.
> 
> As you note in your follow-on discussion, the assertion "complex
> policy configurations inevitably result in less security rather than
> in more" is likely true, but the assumption that fine-grained
> isolation *requires* separate and explicit "complex policy
> configuration" is the bogus reasoning step.

Exactly!

> POLA, or at least ocaps,
> are predicated on having patterns of objects that achieve fine-grained
> isolation as part of making normal progress in the computation.
> Programmers maintain systems with millions of moving parts making
> progress all the time.

Thanks Dean.  I couldn't have said so better myself - and didn't.
It seems to me that "normal progress in the computation" is
essentially transformed into method invocations rather than
subroutines calls with their potential for global access and
other non memory-"safe" operations.

> So, POLP is dead, long live POLA!
> 
> :-)

Hmmm.  I don't know about labeling as "dead" the long and
in my opinion appropriately valued POLP concept (e.g.
Newtonian Mechanics is dead, long live Relativistic Mechanics!),
but I'm happy to share pursuit of the modern POLA refinement.

:-)

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list