[E-Lang] Re: Defense in depth

puff@guild.net puff@guild.net
Wed, 24 Jan 2001 13:49:41 -0500

Jonathan Shapiro wrote:
> That said, I want to add that even if we achieve what you say, it isn't
> enough. I am *desperately* trying to get out of the kernel on the EROS
> project, because the real need is to investigate how we build manageable
> user software in this world. If we are unable to translate this style of
> software into something that relatively ordinary developers can use with a
> high probability of success, we have failed. I had some experience with this
> in the development of C++. It is part of why I am very pleased that MarkM is
> working on E.

     Speaking of relatively ordinary developers :-)... One of us
relatively ordinary types would like to ask for some advice.  I hope
this isn't too far out of bounds for the list.

     I'm working on a project that's building a multi-user business
system in Java.

     The application is very document-centric, and we're making heavy
use of XML DOMs and XSLT transformations, not just as an external
communications format, but as the internals of the system.  Most of
what we're doing centers on receiving XML transactions from the
outside world, matching them up with XML DOM fragments from inside the
system, applying XSLT transformations against them, and sending the
resulting XML transaction back out.  Some of the transactions will be
modifications to the existing XML DOMs or transformations.

     Access control is, of course, a requirement, and security is a
concern.  Where do I go next for general reading on designs for
multi-user access control systems?

     We're already leaning towards having a model where each resource
object has a set of definitions of operations corresponding to a set
of eight standard operations (browse, read, edit, insert, approve,
delete (mark as deleted), execute, admin), and each user has set
permissions for each resource+operation.  But this isn't based on any
sort of foundation of theory.  Is it possible to apply a capability
type approach to this without trying to build a full-blown capability
system?  Is there a paper anywhere that talks about different
approaches to this?

David Wagner wrote:
>> The good news for the virtual world: mathematics tells us there are walls
>> you can build that are "near-perfect and perfect", [...]
> This may be true of crypto, but crypto is only a small piece of the
> puzzle.  Steve Bellovin counted CERT advisories over the past decade
> and found that at most 15% of them go away if you assume perfect crypto
> deployed everywhere.  The rest is a matter of good systems design and
> high quality software, and in that regime, our walls are decidedly
> imperfect.  There's no magic bullet (no, not even capabilities!), and
> that's redundant defenses can make a contribution.

     This is the kind of thing that keeps me up at night.  Network
security and server security are complex enough, but they're fairly
well-explored domains.  Application design security is kind of "out
there".  I've had thoughts about making a case to management for
getting some sort of application security consultant in to review our
design.  Is this done?  Are there people who consult on this sort of
thing regularly?  What would typical consulting fees be?

Steven J. Owens