[E-Lang] defense in depth

Marc Stiegler marcs@skyhunter.com
Thu, 25 Jan 2001 10:02:41 -0700

> I guess a more accurate would be to say that there is usually
> a tradeoff between the benefits and costs of defense in depth,
> and my experience is that in today's systems it is not at all
> uncommon to find scenarios where the costs of defense in depth
> are well worth it.
> Do I understand you to be saying that defense in depth is almost
> never worth it?  (except for special exceptions like UI's)

The term "never" is an immense term, like the term "perfect". And in fact,
in today's world without capabilities, defense in depth is all you can get
and I use it myself. Indeed, I can even point to a specific moment in my
personal life when defense in depth was probably all that saved me:

When I first set up a Linux server for my home network, I had a niggling
suspicion that I was leaving my whole world exposed to the network. So I set
up the tcp/ip wrapper daemons to only service local requests while I was
fiddling with the ipchains firewall software.

When, 9 months later, I finally got ipchains working, I was very happy. But
being paranoid, I did not shut off the ip wrapper daemons. 4 months after
that, I was very happy that I had left them on because I finally figured out
that I had never actually had ipchains firewall features turned on. Reading
my logs, it was clear that lots of people had tried to hack into my mail
server, but everything else was copascetic. Perhaps this was because of the
ip wrappers, perhaps not, but it was because of the ip wrappers that I feel
reasonably confident no one hacked the logs :-)

Could this scenario occur in a full-powered capability-secured world? I do
not believe so. I have since then given a silly amount of thought to what my
LAN would look like if I were running strictly capability-secured software.
Whatever the risks are, I know they are different because the questions and
answers are so completely different. In a capability system, with principle
of least authority, I would not be screwing with firewalls as if my life
depended on them, and there is no one thing I could have done wrong that
would zap the total defenses for my entire network. In a capability system,
even with an absurdly user-hostile UI like the one I had for ipchains, I
could not have done something this bad to myself.

Incidentally, capabilities lend themselves to friendly UIs, as well. Both
Ping/Miriam at Berkeley and I have the beginnings of proofs of this, and
since we are working independently, they are independent proofs :-) But they
are not complete enough to be fully convincing yet.