ERights Home talks 
Back to: Paradigm Regained: Abstraction Mechanisms for Access Control On to: Concurrency Among Strangers

The Structure of Authority
Why security is not a separable concern


Superseded by Robust Composition.

Mark S. Miller1,2, Bill Tulloh3, and Jonathan Shapiro2
1Virus Safe Computing Project,
Hewlett Packard Laboratories.
2John Hopkins University
3George Mason University

An invited talk given at Second International Mozart/Oz Conference

Common programming practice grants excess authority for the sake of functionality; programming principles require least authority for the sake of security. If we practice our principles, we could have both security and functionality. Treating security as a separate concern has not succeeded in bridging the gap between principle and practice, because it operates without knowledge of what constitutes least authority. Only when requests are made -- whether by humans acting through a user interface, or by one object invoking another -- can we determine how much authority is adequate. Without this knowledge, we must provide programs with enough authority to do anything they might be requested to do.

We examine the practice of least authority at four major layers of abstraction -- from humans in an organization down to individual objects within a programming language. We explain the special role of object-capability languages -- such as E or the proposed Oz-E -- in supporting practical least authority.

Slides

Paper

 
Unless stated otherwise, all text on this page which is either unattributed or by Mark S. Miller is hereby placed in the public domain.
ERights Home talks 
Back to: Paradigm Regained: Abstraction Mechanisms for Access Control On to: Concurrency Among Strangers
Download    FAQ    API    Mail Archive    Donate

report bug (including invalid html)

Golden Key Campaign Blue Ribbon Campaign