Re: [Lit.] Buffer overruns

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 01/18/05 

Date: Tue, 18 Jan 2005 06:29:14 +0000 (UTC)

Douglas A. Gwyn wrote:
>Bryan Olson wrote:
>> The principle of least privilege ... says to allow an
>> entity just the access necessary for an it to do its job. Look
>> at a safer language such as Java; the compiler and run-time
>> system enforce access control consistent with the declared
>> interfaces.
>
>Which can also be done in C, e.g. using opaque types,
>or more simply merely by using a reasonable coding
>discipline.

Well, of course it can be done in C, in theory. After all, C is Turing
complete, so anything you can express in a Java program, you can express
in a C program, too. We might as well say that it can be done in machine
language, too. (Heck, you can even do it in Intercal.) It is possible.

But this misses the point that I presume Bryan Olson was trying to make.
The point, as I see it, is that some languages try to provide more support
for least privilege programming. They may make it easier or more natural
to achieve least privilege. For instance, they might enforce policies
(type safety, etc.) that make least privilege come more naturally.
As a result, those languages may be better for building programs in the
least privilege style than, say, machine language.

P.S. C doesn't have type-safe opaque types. You can build types and
hope that no one else will violate the abstraction ('pretty please, don't
look inside'), but C doesn't provide any way to enforce this. The lack
of language-enforced opaque types makes modular verification of code harder.
(Yes, yes, verification is still possible -- it is just harder.)

Relevant Pages

  • Re: Cooperating in systems of oppression
    ... I ask my Latino colleagues for help in practicing my Spanish ... Except for the language thing. ... My privilege allows me to partition off how much of my ... leisure time that I could use my large brain to help challenge some of ...
    (soc.singles.moderated)
  • Re: Privilege-escalation attacks on NT-based Windows are unfixable
    ... language that made it difficult for programmers to get around the ... then complaining that it doesn't protect you from all your mistakes. ... powerful API for communications between applications. ... with great privilege comes great responsibility). ...
    (comp.security.misc)
  • Re: Privilege-escalation attacks on NT-based Windows are unfixable
    ... language that made it difficult for programmers to get around the ... then complaining that it doesn't protect you from all your mistakes. ... powerful API for communications between applications. ... with great privilege comes great responsibility). ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: WMI and Rebooting
    ... language specific. ... >> tried two different solutions but both fail for separate reasons. ... >> privilege. ... >> This method gives me a run-time errors with System.Management telling me ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: [Lit.] Buffer overruns
    ... Bryan Olson wrote: ... > The principle of least privilege ... ... discipline. ...
    (sci.crypt)