From: David Wagner <daw@cs.berkeley.edu>
Date: Sat, 7 Dec 2002 19:22:54 -0800 (PST)
Subject: [e-lang] capability myths demolished!

Marc Stiegler wrote:
>For me, the merit of designation-with-authority became clear only when I 
>started writing user interfaces for secure systems. If designation is not 
>bundled with authority, then the user has to take 2 different steps where we 
>desperately want the user to have only one step: he winds up having one 
>discussion with his computer about designating what he wants to work with, 
>and a separate discussion about the security properties. Consequently, 
>security becomes a constant in-your-face nuisance.

I agree.  UI's seem like a great concrete example of how
designation-with-authority helps.   And the analogy does seem to carry
over reasonably well to programming, as far as I can tell.  Though you
can achieve principle of least privilege even if designation is separated
from authority, it requires greater explicitness, which means more work
from the programmer.

For instance, in Unix, the open() call is least-privilege-unfriendly,
because it uses the global euid to check permission.   An alternative,
least-privilege-friendly interface might be
  int open(uid_t authority, char *path, int flags, mode_t mode);
where the first argument would be used instead of the euid to
check access.  However, this interface would require more effort from
programmers, which likely means that some programmers will get lazy and
do things that harm security.  This seems to me like one of the main
selling points of capability security: the hope that we can get least
privilege "for free".
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang