From dd2f6f1a932a7833f939f39107054cbde271ce20 Mon Sep 17 00:00:00 2001 From: Corbin Date: Tue, 15 Apr 2025 10:10:10 -0700 Subject: [PATCH 1/2] feat: The Principle of Least Privilege I'm from capability theory, so I always think of this as POLA, but either way I think I've summarized it fairly according to Saltzer's paper. --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 79033f4..32dc5e9 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,7 @@ - [YAGNI](#yagni) - [The Fallacies of Distributed Computing](#the-fallacies-of-distributed-computing) - [The Principle of Least Astonishment](#the-principle-of-least-astonishment) + - [The Principle of Least Privilege](#the-principle-of-least-privilege) - [Reading List](#reading-list) - [Online Resources](#online-resources) - [PDF eBook](#pdf-ebook) @@ -1129,6 +1130,25 @@ See also: - [Convention Over Configuration](#todo) +### The Principle of Least Privilege + +[The Principle of Least Privilege on Wikipedia](https://en.wikipedia.org/wiki/Principle_of_least_privilege) + +> Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. +> +> Jerome H. Saltzer + +Also known as the **principle of least authority**, this principle requires components to be designed so that they need a minimum of privilege, authority, access, or permissions to accomplish their design goals. + +A system designed with least privilege has a natural partitioning into isolated subsystems which do not interact with each other. By intentionally restricting privileges during the design phase, a system can be produced which enforces that partitioning during operation. + +This is the fourth of five noteworthy design principles from [Protection and the Control of Information Sharing in Multics](https://dl.acm.org/doi/10.1145/361011.361067) (Saltzer, 1974). + +Real-world examples: + +* [Need-to-know policies](https://en.wikipedia.org/wiki/Need_to_know) in military organizations +* [Capability-based security](https://en.wikipedia.org/wiki/Capability-based_security), where all privileges are idealized as unforgeable copyable references + ## Reading List If you have found these concepts interesting, you may enjoy the following books. From 943598f37907d411a34575a8585f2685e1096b4d Mon Sep 17 00:00:00 2001 From: Corbin Date: Tue, 15 Apr 2025 10:22:07 -0700 Subject: [PATCH 2/2] Cross-reference the Multics design principles. Also fix up formatting to match conventions a bit better. --- README.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 32dc5e9..2f28d57 100644 --- a/README.md +++ b/README.md @@ -834,7 +834,7 @@ The name of this principle comes from a story by [G.K. Chesterton](https://en.wi [Kerckhoffs's principle on Wikipedia](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) -> "...design your system assuming that your opponents know it in detail." +> ...design your system assuming that your opponents know it in detail. > > _Steven M. Bellovin's formulation of Kerckhoff's Principle_ @@ -844,7 +844,16 @@ The gold standard for any secret-keeping system is that implementation details s The history of cryptography has shown that open discussion and analysis of cryptographic systems leads to better and more secure systems - as researchers are able to test for and expose potential vulnerabilities. +This is the third of five noteworthy design principles from [Protection and the Control of Information Sharing in Multics](https://dl.acm.org/doi/10.1145/361011.361067) (Saltzer, 1974), where it is noted for its value in the design process: + +> This principle is not new ... but its violation sent a surprising number of design proposals back to the drawing boards. +> +> Jerome H. Saltzer + +See also: + - [Shannon's Maxim](#todo) +- [The Principle of Least Privilege](#the-principle-of-least-privilege) ### The Dead Sea Effect @@ -1136,7 +1145,7 @@ See also: > Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. > -> Jerome H. Saltzer +> _Jerome H. Saltzer_ Also known as the **principle of least authority**, this principle requires components to be designed so that they need a minimum of privilege, authority, access, or permissions to accomplish their design goals. @@ -1144,10 +1153,14 @@ A system designed with least privilege has a natural partitioning into isolated This is the fourth of five noteworthy design principles from [Protection and the Control of Information Sharing in Multics](https://dl.acm.org/doi/10.1145/361011.361067) (Saltzer, 1974). +See also: + +- [Kerckhoffs's principle](#kerckhoffss-principle) + Real-world examples: -* [Need-to-know policies](https://en.wikipedia.org/wiki/Need_to_know) in military organizations -* [Capability-based security](https://en.wikipedia.org/wiki/Capability-based_security), where all privileges are idealized as unforgeable copyable references +- [Need-to-know policies](https://en.wikipedia.org/wiki/Need_to_know) in military organizations +- [Capability-based security](https://en.wikipedia.org/wiki/Capability-based_security), where all privileges are idealized as unforgeable copyable references ## Reading List