The Structure of Authority: Why security is not a separable concern

Mark Miller

Software developers must build programs that are both functional and secure. Yet, most current efforts to secure software put protection at odds with usability and usefulness. Good software engineering principles seem to suggest that the solution is to address security as a separate concern. This view, however, is misleading. A major source of our current vulnerability stems from the excess authority routinely granted to applications. The solution is to design software according to the principle of least authority (POLA). Adapting the familiar access matrix model, we show how the recursive application of POLA down to the object level can significantly reduce vulnerabilities. Existing modularity and abstraction mechanisms, together with good software engineering discipline-for the sake of information hiding-bring about sparse “knowledge-of” relationships within systems. Object-capability mechanisms and discipline leverage these practices-for the sake of POLA-to bring about correspondingly sparse “access-to” relationships.

Rather than treating security separately, the consistent application of POLA requires that we more tightly integrate security concerns with system design concerns. Rather than requiring cumbersome security mechanisms, it instead requires the more consistent application of good software engineering practices. Many well-designed languages, including OZ, come tantalizing close to providing the linguistic foundations needed to support POLA-based programming practices. We explain what additional steps are needed, and why it is a path worth taking.