Is achieving security a hopeless quest?
Abstract
Despite all the work in OS to provide protection and improve security, cyber crime has grown into a major social issue. There seem to be no solutions to loss of data and theft of identity. Does the OS community bear a responsibility for this mess?
Mark Miller:
In the 1970s, there were two main access control models: the identity-centric model of access-control lists and the authorization-centric model of capabilities. For various reasons the world went down the identity-centric path, resulting in the situation we are now in. On the identity-centric path, why is security likely a hopeless quest?
When we build systems, we compose software written by different people. These composed components may cooperate as we intend, or they may destructively interfere. We have gotten very good at avoiding accidental interference by using abstraction mechanisms and designing good abstraction boundaries. By composition, we have delivered astonishing functionality to the world.
Today, when we secure systems, we assign authority to identities. When I run a program, it runs as me. The square root function in my math library can delete my files. Although it does not abuse this excess authority, if it has a flaw enabling an attacker to subvert it, then anything it may do, the attacker can do. It is this excess authority that invites most of the attacks we see in the world today.
By contrast, when we secure systems with capabilities, we work with the grain of how we organize software for functionality. At every level of composition, from programming language to operating systems to distributed services, we design abstraction boundaries so that a component's interface only requires arguments that are somehow relevant to its task. If such argument passing were the only source of authority, we would have already taken a huge step towards least authority. If most programs only ran with the least authority they need to do their jobs, most abuses would be minor.
I do not imagine a world with fewer exploitable bugs. I imagine a world in which much less is at risk to most bugs.
Supplementary Material
MP4 File (a13.mp4)
- Download
- 4214.19 MB
Information & Contributors
Information
Published In
October 2015
391 pages
ISBN:9781450340175
DOI:10.1145/2830903
Copyright © 2015 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 October 2015
Check for updates
Qualifiers
- Panel
Conference
SOSP '15
Sponsor:
SOSP '15: ACM SIGOPS 25th Symposium on Operating Systems Principles
October 4, 2015
California, Monterey
Acceptance Rates
Overall Acceptance Rate 174 of 961 submissions, 18%
Upcoming Conference
SOSP '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 81Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 05 Mar 2025