M. Seltzer, M. Miller, David Mazières, Yuanyuan Zhou
{"title":"获得安全感是一种无望的追求吗?","authors":"M. Seltzer, M. Miller, David Mazières, Yuanyuan Zhou","doi":"10.1145/2830903.2830914","DOIUrl":null,"url":null,"abstract":"Despite all the work in OS to provide protection and improve security, cyber crime has grown into a major social issue. There seem to be no solutions to loss of data and theft of identity. Does the OS community bear a responsibility for this mess? Mark Miller: In the 1970s, there were two main access control models: the identity-centric model of access-control lists and the authorization-centric model of capabilities. For various reasons the world went down the identity-centric path, resulting in the situation we are now in. On the identity-centric path, why is security likely a hopeless quest? When we build systems, we compose software written by different people. These composed components may cooperate as we intend, or they may destructively interfere. We have gotten very good at avoiding accidental interference by using abstraction mechanisms and designing good abstraction boundaries. By composition, we have delivered astonishing functionality to the world. Today, when we secure systems, we assign authority to identities. When I run a program, it runs as me. The square root function in my math library can delete my files. Although it does not abuse this excess authority, if it has a flaw enabling an attacker to subvert it, then anything it may do, the attacker can do. It is this excess authority that invites most of the attacks we see in the world today. By contrast, when we secure systems with capabilities, we work with the grain of how we organize software for functionality. At every level of composition, from programming language to operating systems to distributed services, we design abstraction boundaries so that a component's interface only requires arguments that are somehow relevant to its task. If such argument passing were the only source of authority, we would have already taken a huge step towards least authority. If most programs only ran with the least authority they need to do their jobs, most abuses would be minor. I do not imagine a world with fewer exploitable bugs. I imagine a world in which much less is at risk to most bugs.","PeriodicalId":175724,"journal":{"name":"SOSP History Day 2015","volume":"109 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Is achieving security a hopeless quest?\",\"authors\":\"M. Seltzer, M. Miller, David Mazières, Yuanyuan Zhou\",\"doi\":\"10.1145/2830903.2830914\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Despite all the work in OS to provide protection and improve security, cyber crime has grown into a major social issue. There seem to be no solutions to loss of data and theft of identity. Does the OS community bear a responsibility for this mess? Mark Miller: In the 1970s, there were two main access control models: the identity-centric model of access-control lists and the authorization-centric model of capabilities. For various reasons the world went down the identity-centric path, resulting in the situation we are now in. On the identity-centric path, why is security likely a hopeless quest? When we build systems, we compose software written by different people. These composed components may cooperate as we intend, or they may destructively interfere. We have gotten very good at avoiding accidental interference by using abstraction mechanisms and designing good abstraction boundaries. By composition, we have delivered astonishing functionality to the world. Today, when we secure systems, we assign authority to identities. When I run a program, it runs as me. The square root function in my math library can delete my files. Although it does not abuse this excess authority, if it has a flaw enabling an attacker to subvert it, then anything it may do, the attacker can do. It is this excess authority that invites most of the attacks we see in the world today. By contrast, when we secure systems with capabilities, we work with the grain of how we organize software for functionality. At every level of composition, from programming language to operating systems to distributed services, we design abstraction boundaries so that a component's interface only requires arguments that are somehow relevant to its task. If such argument passing were the only source of authority, we would have already taken a huge step towards least authority. If most programs only ran with the least authority they need to do their jobs, most abuses would be minor. I do not imagine a world with fewer exploitable bugs. I imagine a world in which much less is at risk to most bugs.\",\"PeriodicalId\":175724,\"journal\":{\"name\":\"SOSP History Day 2015\",\"volume\":\"109 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-10-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SOSP History Day 2015\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2830903.2830914\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SOSP History Day 2015","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2830903.2830914","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Despite all the work in OS to provide protection and improve security, cyber crime has grown into a major social issue. There seem to be no solutions to loss of data and theft of identity. Does the OS community bear a responsibility for this mess? Mark Miller: In the 1970s, there were two main access control models: the identity-centric model of access-control lists and the authorization-centric model of capabilities. For various reasons the world went down the identity-centric path, resulting in the situation we are now in. On the identity-centric path, why is security likely a hopeless quest? When we build systems, we compose software written by different people. These composed components may cooperate as we intend, or they may destructively interfere. We have gotten very good at avoiding accidental interference by using abstraction mechanisms and designing good abstraction boundaries. By composition, we have delivered astonishing functionality to the world. Today, when we secure systems, we assign authority to identities. When I run a program, it runs as me. The square root function in my math library can delete my files. Although it does not abuse this excess authority, if it has a flaw enabling an attacker to subvert it, then anything it may do, the attacker can do. It is this excess authority that invites most of the attacks we see in the world today. By contrast, when we secure systems with capabilities, we work with the grain of how we organize software for functionality. At every level of composition, from programming language to operating systems to distributed services, we design abstraction boundaries so that a component's interface only requires arguments that are somehow relevant to its task. If such argument passing were the only source of authority, we would have already taken a huge step towards least authority. If most programs only ran with the least authority they need to do their jobs, most abuses would be minor. I do not imagine a world with fewer exploitable bugs. I imagine a world in which much less is at risk to most bugs.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
