The Structure of Authority: Why Security Is Not a Separable Concern

@inproceedings{Miller2004TheSO,
  title={The Structure of Authority: Why Security Is Not a Separable Concern},
  author={Mark S. Miller and Bill Tulloh and Jonathan S. Shapiro},
  booktitle={MOZ},
  year={2004}
}
Common programming practice grants excess authority for the sake of functionality; programming principles require least authority for the sake of security. If we practice our principles, we could have both security and functionality. Treating security as a separate concern has not succeeded in bridging the gap between principle and practice, because it operates without knowledge of what constitutes least authority. Only when requests are made – whether by humans acting through a user interface… 

Figures and Tables from this paper

Authority Analysis for Least Privilege Environments
TLDR
The ability of the technique to successfully identify excess authority by examining the “Confused Deputy” scenario, whose vulnerability goes undetected with conventional safety analyses is demonstrated.
Patterns of safe collaboration
TLDR
A new domain specific declarative language SCOLL (Safe Collaboration Language), which semantics are expressed by means of KBMs, which can help programmers to build reliable components that can safely interact with partially or completely untrusted components.
Reusability of Functionality-Based Application Confinement Policy Abstractions
TLDR
This paper describes how the principles of role-based access control (RBAC) can be applied to the problem of restricting an application's behaviour and provides a more flexible, scalable and easier to manage confinement paradigm that requires far less in terms of user expertise than existing schemes.
Non-delegatable authorities in capability systems
TLDR
It is demonstrated that NDAs may be used to express ACL-like constructs and their basic pattern is directly applicable for implementing multi-level security and identity-based access controls in the object-capability model.
A Language for Safe Capability Based Collaboration
TLDR
A domain specific declarative language – SCOLL (Safe COLlaboration Language) – is proposed to express the collaborative behavior of subjects, the initial conditions in a configuration, and the requirements about confinement and liveness that are to be ensured.
Functionality-based application confinement: A parameterised and hierarchical approach to policy abstraction for rule-based application-oriented access controls
TLDR
A new access control model, known as functionality-based application confinement (FBAC), which is hierarchical, which enables it to provide layers of abstraction and encapsulation in policy and simultaneously enforces the security goals of both users and administrators by providing discretionary and mandatory controls.
Secure Cooperation of Untrusted Components
TLDR
This work suggests a novel approach based on the object capability paradigm with access control at the level of individual methods, which exploits two fundamental ideas: a component’s published interface is used as a specification of its required permissions, and interfaces with optional methods are extended, allowing to specify permissions which are not strictly necessary, but desired for a better service level.
Functionality-based Application Confinement - Parameterised Hierarchical Application Restrictions
TLDR
FBAC policies are parameterised allowing them to be easily adapted to the needs of individual applications, and the layered nature of policies provides defence in depth allowing policies from both the user and administrator to provide both discretionary and mandatory security.
Robust composition: towards a unified approach to access control and concurrency control
TLDR
This dissertation presents a framework for enabling those interactions between components needed for the cooperation the authors intend, while minimizing the hazards of destructive interference, in E, a distributed, persistent, secure programming language.
Computational State Transfer: An Architectural Style for Decentralized Systems
TLDR
This evaluation demonstrates that COast is capable of fail-safe cooperative live update for individual services in a decentralized system and concludes that COAST is well-suited for client-driven service extension and customization.
...
1
2
3
4
...

References

SHOWING 1-10 OF 41 REFERENCES
A security kernel based on the lambda-calculus
TLDR
Experience with Scheme 48 is described that shows how it serves as a robust and flexible experimental platform and two successful applications of Scheme 48 are the programming environment for the Cornell mobile robots; and a secure multi-user environment that runs on workstations.
Protection: principles and practice
The protection mechanisms of computer systems control the access to objects, especially information objects. The range of responsibilities of these mechanisms includes at one extreme completely
Paradigm Regained: Abstraction Mechanisms for Access Control
Access control systems must be evaluated in part on how well they enable one to distribute the access rights needed for cooperation, while simultaneously limiting the propagation of rights which
Abstraction and Refinement of Layered Security Policy
TLDR
This essay examines several different ways in which enterprise computing is viewed by different members of the enterprise, resulting in a layered policy where each main layer relates to one of the system metaphors and the policy described for a lower level of detail is an implementation of the policy at a higher level.
The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language
TLDR
The Oz-E project is presented, aimed at building an Oz-like secure language, named in tribute of E and its designers and users, and the principles for secure language design are synthesized from the experiences with the capability-secure languages E and the W7-kernel for Scheme 48 [Ree96].
The source of authority for commercial access control
The authors discuss the need for protection in commercial organizations, and the way in which control principles have met this need, despite having evolved before computer systems came into use. The
The protection of information in computer systems
TLDR
This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification by examining in depth the principles of modern protection architectures and the relation between capability systems and access control list systems.
Information Security: An Integrated Collection of Essays
TLDR
This collection of essays provides an overview of the vulnerabilities and threats to information security and introduces the important concepts and terms and summarizes the definitions and controls of the trusted computer system evaluation criteria.
A Security Analysis of the Combex DarpaBrowser Architecture
TLDR
The goal of the review was to evaluate the security properties of the DarpaBrowser, and in particular, its ability to confine a malicious renderer and to enforce the security policy described in the Combex Project Plan.
The transfer of information and authority in a protection system
TLDR
The Take-Grant Protection Model is extended with four rewriting rules to model de facto transfer, which refers to the situation where a user receives information when he does not initially have a direct “right” to it.
...
1
2
3
4
5
...