The Structure of Authority: Why Security Is Not a Separable Concern

Common programming practice grants excess authority for the sake of functionality; programming principles require least authority for the sake of security. If we practice our principles, we could have both security and functionality. Treating security as a separate concern has not succeeded in bridging the gap between principle and practice, because it operates without knowledge of what constitutes least authority. Only when requests are made – whether by humans acting through a user interface, or by one object invoking another – can we determine how much authority is adequate. Without this knowledge, we must provide programs with enough authority to do anything they might be requested to do. We examine the practice of least authority at four major layers of abstraction – from humans in an organization down to individual objects within a programming language. We explain the special role of objectcapability languages – such as E or the proposed Oz-E – in supporting practical least authority. 1 Excess Authority: The Gateway to Abuse Software systems today are highly vulnerable to attack. This widespread vulnerability can be traced in large part to the excess authority we routinely grant programs. Virtually every program a user launches is granted the user’s full authority, even a simple game program like Solitaire. All widely-deployed operating systems today – including Windows, UNIX variants, Macintosh, and PalmOS – work on this principle. While users need broad authority to accomplish their various goals, this authority greatly exceeds what any particular program needs to accomplish its task. When you run Solitaire, it only needs the authority to draw in its window, to receive the UI events you direct at it, and to write into a file you specify in order to save your score. If you had granted it only this limited authority, a corrupted Solitaire might be annoying, but not a threat. It may prevent you from Bill Tulloh would like to thank the Critical Infrastructure Protection Project at George Mason University for its financial support of this research. P. Van Roy (Ed.): MOZ 2004, LNAI 3389, pp. 2–20, 2005. c © Springer-Verlag Berlin Heidelberg 2005 The Structure of Authority: Why Security Is not a Separable Concern 3 Application Dynamic Least Authority