TE
TechEcho
Home24h TopNewestBestAskShowJobs
GitHubTwitter
Home

TechEcho

A tech news platform built with Next.js, providing global tech news and discussions.

GitHubTwitter

Home

HomeNewestBestAskShowJobs

Resources

HackerNews APIOriginal HackerNewsNext.js

© 2025 TechEcho. All rights reserved.

POLA Would Have Prevented the Event-Stream Incident

38 pointsby katelynsillsover 6 years ago

5 comments

erightsover 6 years ago
In light of some feedback we&#x27;ve received on the article, some clarification is needed. The ocap (object-capabilities) approach does not by itself make systems secure. Rather, it an enormous step towards making systems secureable. Even after taking this step, making complex systems secure can still be very hard, depending on the specifics.<p>In an ocap system such as SES <a href="https:&#x2F;&#x2F;github.com&#x2F;Agoric&#x2F;SES" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Agoric&#x2F;SES</a> , an object can only directly cause effects on the world outside itself by using the capabilities it holds. Objects come in graphs held together by references, so an object can still only cause effects, directly or indirectly, according to its connectivity to the rest of the system via references. The different between direct effects vs general causation is the difference between permission and authority [1,2]. Permission is often vastly easier to reason about than authority, but our safety depends on reasoning about limits on authority.<p>The event-stream exploit would have been prevented merely by practicing the principle of least permission. Hence this article did not need to go into these subtleties. Hence, this exploit is a good example for introducing people to these concepts, tempting them to dig deeper [3].<p>[1] Paradigm Regained <a href="http:&#x2F;&#x2F;www.erights.org&#x2F;talks&#x2F;asian03&#x2F;paradigm-revised.pdf" rel="nofollow">http:&#x2F;&#x2F;www.erights.org&#x2F;talks&#x2F;asian03&#x2F;paradigm-revised.pdf</a><p>[2] Permission and Authority Revisited <a href="https:&#x2F;&#x2F;ai.google&#x2F;research&#x2F;pubs&#x2F;pub45570" rel="nofollow">https:&#x2F;&#x2F;ai.google&#x2F;research&#x2F;pubs&#x2F;pub45570</a><p>[3] References page <a href="https:&#x2F;&#x2F;agoric.com&#x2F;references&#x2F;" rel="nofollow">https:&#x2F;&#x2F;agoric.com&#x2F;references&#x2F;</a>
erightsover 6 years ago
This npm &#x2F; event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9Snbss_tawI&amp;list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9Snbss_tawI&amp;list=PLKr-mvz8uv...</a> is my presentation to the Node security team, explaining many of these issues prior to this particular incident.
snekover 6 years ago
What would be the sane behaviour for the following situation?<p>my app imports an http request library and gives it net permissions<p>my app imports a templating library and gives it no permissions<p>the templating library is malicious and tries to import well known http request libraries, and finds the one i imported, which has been given net permissions.<p>or what if you give the templating library a mixin of some sort which accidentally exposes the privileged http library
评论 #18602345 未加载
zebramanover 6 years ago
&quot;This isn’t the case in a language like Java, where access to the outside world is mixed in with other functionality.&quot;<p>That&#x27;s why there is a SecurityManager: <a href="https:&#x2F;&#x2F;docs.oracle.com&#x2F;javase&#x2F;tutorial&#x2F;essential&#x2F;environment&#x2F;security.html" rel="nofollow">https:&#x2F;&#x2F;docs.oracle.com&#x2F;javase&#x2F;tutorial&#x2F;essential&#x2F;environmen...</a> that - if anything - is extremely granular.
评论 #18599365 未加载
erightsover 6 years ago
At <a href="https:&#x2F;&#x2F;twitter.com&#x2F;spudowiar&#x2F;status&#x2F;1069680974110306306" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;spudowiar&#x2F;status&#x2F;1069680974110306306</a> Saleem Rashid raises an example of this principle that is especially easy to overlook, where authority arises from one entity relying on the unchecked veracity of another.