The Structure of Authority: Why Security Is Not a Separable Concern

  • Mark S. Miller
  • Bill Tulloh
  • Jonathan S. Shapiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3389)


Common programming practice grants excess authority for the sake of functionality; programming principles require least authority for the sake of security. If we practice our principles, we could have both security and functionality. Treating security as a separate concern has not succeeded in bridging the gap between principle and practice, because it operates without knowledge of what constitutes least authority. Only when requests are made – whether by humans acting through a user interface, or by one object invoking another – can we determine how much authority is adequate. Without this knowledge, we must provide programs with enough authority to do anything they might be requested to do.

We examine the practice of least authority at four major layers of abstraction – from humans in an organization down to individual objects within a programming language. We explain the special role of object-capability languages – such as E or the proposed Oz-E – in supporting practical least authority.


Access Control Attack Surface Email Client Access Matrix Startup Module 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Abrams95]
    Abrams, M., Bailey, D.: Abstraction and Refinement of Layered Security Policy. In: Abrams, M.D., Jajodia, S., Podell, H.J. (eds.) Information Security: An Integrated Collection of Essays, pp. 126–136. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  2. [Bishop79]
    Bishop, M., Snyder, L.: The Transfer of Information and Authority in a Protection System. In: Proc. 7th ACM Symposium on Operating Systems Principles, Operating Systems Review, vol. 13(4), pp. 45–54 (1979)Google Scholar
  3. [Close03]
    Tyler Close “What Does the ’y’ Refer to” (2003),
  4. [Dennis66]
    Dennis, J.B., Van Horn, E.C.: Programming Semantics for Multiprogrammed Computations. Communications of the ACM 9(3), 143–155 (1966)zbMATHCrossRefGoogle Scholar
  5. [Dijkstra74]
    Dijkstra, E.W.: On the role of scientific thought”, EWD 447. In: Dijkstra, E.W. (ed.) Selected Writings on Computing: A Personal Perspective. Springer, Heidelberg (1982)Google Scholar
  6. [Graham72]
    Graham, G.S., Denning, P.J.: Protection-principles and practice. In: Proc. AFIPS 1972 SJCC, vol. 40, pp. 417–429. AFIPS Press, Montvale (1972)Google Scholar
  7. [Hardy85]
    Hardy, N.: The KeyKOS Architecture. ACM Operating Systems Review, 8–25 (September 1985),
  8. [Hayek45]
    Hayek, F.A.: Use of Knowledge in Society. American Economic Review XXXV(4), 519–530 (1945), Google Scholar
  9. [Hayek64]
    Hayek, F.A.: The Theory of Complex Phenomena. In: Bunge (ed.) The Critical Approach to Science and Philosophy (1964)Google Scholar
  10. [Hewitt77]
    Hewitt, C., Baker, H.: Actors and Continuous Functionals. MIT-LCS-TR-194 (1977) Locality Laws online at,
  11. [Howard03]
    Howard, M., Pincus, J., Wing, J.M.: Measuring Relative Attack Surfaces. In: Proceedings of the Workshop on Advanced Developments in Software and Systems Security (2003)Google Scholar
  12. [Lampson74]
    Lampson, B.W.: Protection. ACM Operating Systems Review. 8(1) (January 1974)Google Scholar
  13. [Miller87]
    Miller, M.S., Bobrow, D.G., Tribble, E.D., Levy, J.: Logical Secrets. In: Shapiro, E. (ed.) Concurrent Prolog: Collected Papers, MIT Press, Cambridge (1987)Google Scholar
  14. [Miller02]
    Miller, M.S.: A Theory of Taming (2002),
  15. [Miller03]
    Miller, M.S., Shapiro, J.S.: Paradigm Regained: Abstraction mechanisms for access control. In: Saraswat, V.A. (ed.) ASIAN 2003. LNCS, vol. 2896, pp. 224–242. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. [Moffett88]
    Moffett, J.D., Sloman, M.S.: The Source of Authority for Commercial Access Control. IEEE Computer, Los Alamitos (1988)Google Scholar
  17. [Morris73]
    Morris, J.H.: Protection in Programming Languages. CACM 16(1), 15–21 (1973), zbMATHGoogle Scholar
  18. [Parnas72]
    Parnas, D.L.: On the Criteria To Be Used in Decomposing a System into Modules. Communications of the ACM 15(12), 1053–1058 (1972)CrossRefGoogle Scholar
  19. [Rees96]
    Rees, J.: A Security Kernel Based on the Lambda-Calculus. MIT AI Memo No. 1564. MIT, Cambridge (1996), Google Scholar
  20. [Saltzer75]
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)CrossRefGoogle Scholar
  21. [Schneider03]
    Schneider, F.B.: Least Privilege and More. IEEE Security & Privacy, 55–59 (September/October 2003)Google Scholar
  22. [Simon62]
    Simon, H.S.: The Architecture of Complexity: Hierarchic Systems. Proceedings of the American Philosophical Society 106, 467–482 (1962)Google Scholar
  23. [Shapiro99]
    Shapiro, J.S., Smith, J.M., Farber, D.J.: EROS: A Fast Capability System. In: Proceedings of the 17th ACM Symposium on Operating Systems Principles, December 1999, pp. 170–185 (1999)Google Scholar
  24. [Spiessens-VanRoy05]
    Spiessens, F., Roy, P.V.: The Oz-E Project: Design Guidelines for a Secure Multiparadigm Programming Language. In: Van Roy, P. (ed.) MOZ 2004. LNCS (LNAI), vol. 3389, pp. 21–40. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. [Stiegler02]
    Stiegler, M., Miller, M.: A Capability Based Client: The DarpaBrowser (2002),
  26. [Stiegler04]
    Stiegler, M., Karp, A.H., Yee, K.-P., Miller, M.: Polaris: Virus Safe Computing for Windows XP, HP Tech Report (in preparation)Google Scholar
  27. [Tulloh02]
    Tulloh, B., Miller, M.S.: Institutions as Abstraction Boundaries. In: To appear in Economics, Philosophy, & Information Technology: The Intellectual Contributions of Don Lavoie, George Mason University, Fairfax, VA (2002), Google Scholar
  28. [Wagner02]
    Wagner, D., Tribble, D.: A Security Analysis of the Combex DarpaBrowser Architecture (2002),
  29. [Wirfs-Brock02]
    Wirfs-Brock, R., McKean, A.: Object Design: Roles, Responsibilities, and Collaborations. Addison-Wesley, Reading (2002)Google Scholar
  30. [Yee02]
    Yee, K.-P.: User Interaction Design for Secure Systems. In: Proceedings of the International Conference on Information and Communications Security (2002) Complete version online at,
  31. [Yee04]
    Yee, K.-P.: Aligning Usability and Security. IEEE Security & Privacy Magazine (September 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Mark S. Miller
    • 1
    • 2
  • Bill Tulloh
    • 3
  • Jonathan S. Shapiro
    • 2
  1. 1.Hewlett Packard Labs 
  2. 2.Johns Hopkins University 
  3. 3.George Mason University 

Personalised recommendations