sunfish,
@sunfish@hachyderm.io avatar

A subtlety about capability-based security in Wasm components is that there is no "ambient authority".

There are functions with no arguments that return handles, which at first glance looks like classic ambient authority.

But, all functions are interposable at link time. So users can wasi-virt or wac or other mechanisms to link a component to whatever they want, and attenuate or redirect the function however they want.

So instead, we say those functions use "link-time authority".

Cyborus,

@sunfish by this definition, would all linux syscalls also be a link-time authority, that is simply always* granted?

sunfish,
@sunfish@hachyderm.io avatar

@Cyborus Yes, that's right.

The Principle of Least Authority is a more informative way to describe systems, and from that perspective we see things like:

  • seccomp is complex to set up for non-trivial tasks, so it isn't used as often as it theoretically could be,

  • Child processes tend to be inconvenient to work with, and processes are pretty heavyweight, so applications tend to use a single process for everything, so authorities are often granted to parts of programs that don't need it.

oborosaur,

@sunfish how would you define ambient authority in this context?

sunfish,
@sunfish@hachyderm.io avatar

@oborosaur Perhaps: implicit access to an external resource.

It's subtle, because if you think about something like a Unix process, we often talk about an "ambient authority" to open files in a filesystem namespace, but technically, many Unix-like platforms have added ways to run processes in alternate filesystem namespaces, or attenuate things with ACLs or seccomp, or so, so it isn't truly implicit, meaning it isn't truly ambient.

sunfish,
@sunfish@hachyderm.io avatar

@oborosaur Ultimately, even though the phrase "ambient authority" is well-known in some circles, I think the Principle of Least Authority (PoLA) is the more interesting concept to focus on.

PoLA is all about granularity. Ideally, don't grant monolithic access to anything, and don't grant any access to monolithic things. Build modular systems and grant fine-grained access to the modules that need it.

And handles are a really great tool for doing that. But not the only tool.

oborosaur,

@sunfish interesting. I always thought of PoLA in contrast to the principle of least privilege: privilege being the rights you have direct access to and authority being the "transitive influence" you can wield by exercising those rights to obtain more rights to indirectly exercise rights by affecting the behaviour of other actors in the system.

Both views emphasize privilege separation, but PoLA accounts for "future rights" and/or "indirect exercising of rights".

oborosaur,

@sunfish so in this case you highlight that the system doesn't force you to grant ambient access because you can interpose invocation on what would otherwise be an irrevocable interface to ambient authority.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • DreamBathrooms
  • osvaldo12
  • thenastyranch
  • magazineikmin
  • Leos
  • rosin
  • GTA5RPClips
  • Durango
  • Youngstown
  • slotface
  • khanakhh
  • kavyap
  • everett
  • ngwrru68w68
  • provamag3
  • tacticalgear
  • InstantRegret
  • anitta
  • modclub
  • mdbf
  • cisconetworking
  • ethstaker
  • cubers
  • megavids
  • tester
  • normalnudes
  • JUstTest
  • lostlight
  • All magazines
    •