[e-lang] New paper: The Structure of Authority

Mark Miller markm at cs.jhu.edu
Fri Nov 12 10:15:49 EST 2004

At <http://www.erights.org/talks/no-sep/index.html>.

[Caution: wide distribution. Please send replies only to a narrower addressee 
list. Thanks.]

                             The Structure of Authority:
                      Why security is not a separable concern

by Mark S. Miller, Bill Tulloh, and Jonathan Shapiro

Common programming practice grants excess authority for the sake of 
functionality; programming principles require least authority for the sake of 
security. If we practice our principles, we could have both security and 
functionality. Treating security as a separate concern has not succeeded in 
bridging the gap between principle and practice, because it operates without 
knowledge of what constitutes least authority. Only when requests are made -- 
whether by humans acting through a user interface, or by one object invoking 
another -- can we determine how much authority is adequate. Without this 
knowledge, we must provide programs with enough authority to do anything they 
*might* be requested to do.

We examine the practice of least authority at four major layers of abstraction 
-- from humans in an organization down to individual objects within a 
programming language. We explain the special role of object-capability 
languages -- such as E or the proposed Oz-E -- in supporting practical least 

Text by me above is hereby placed in the public domain


More information about the e-lang mailing list