POLA Would Have Prevented the Event-Stream Incident

In light of some feedback we&#x27;ve received on the article, some clarification is needed. The ocap (object-capabilities) approach does not by itself make systems secure. Rather, it an enormous step towards making systems secureable. Even after taking this step, making complex systems secure can still be very hard, depending on the specifics.<p>In an ocap system such as SES <a href="https:&#x2F;&#x2F;github.com&#x2F;Agoric&#x2F;SES" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;Agoric&#x2F;SES</a> , an object can only directly cause effects on the world outside itself by using the capabilities it holds. Objects come in graphs held together by references, so an object can still only cause effects, directly or indirectly, according to its connectivity to the rest of the system via references. The different between direct effects vs general causation is the difference between permission and authority [1,2]. Permission is often vastly easier to reason about than authority, but our safety depends on reasoning about limits on authority.<p>The event-stream exploit would have been prevented merely by practicing the principle of least permission. Hence this article did not need to go into these subtleties. Hence, this exploit is a good example for introducing people to these concepts, tempting them to dig deeper [3].<p>[1] Paradigm Regained <a href="http:&#x2F;&#x2F;www.erights.org&#x2F;talks&#x2F;asian03&#x2F;paradigm-revised.pdf" rel="nofollow">http:&#x2F;&#x2F;www.erights.org&#x2F;talks&#x2F;asian03&#x2F;paradigm-revised.pdf</a><p>[2] Permission and Authority Revisited <a href="https:&#x2F;&#x2F;ai.google&#x2F;research&#x2F;pubs&#x2F;pub45570" rel="nofollow">https:&#x2F;&#x2F;ai.google&#x2F;research&#x2F;pubs&#x2F;pub45570</a><p>[3] References page <a href="https:&#x2F;&#x2F;agoric.com&#x2F;references&#x2F;" rel="nofollow">https:&#x2F;&#x2F;agoric.com&#x2F;references&#x2F;</a>

This npm &#x2F; event-stream incident is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries.<p><a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9Snbss_tawI&amp;list=PLKr-mvz8uvUgybLg53lgXSeLOp4BiwvB2" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=9Snbss_tawI&amp;list=PLKr-mvz8uv...</a> is my presentation to the Node security team, explaining many of these issues prior to this particular incident.

What would be the sane behaviour for the following situation?<p>my app imports an http request library and gives it net permissions<p>my app imports a templating library and gives it no permissions<p>the templating library is malicious and tries to import well known http request libraries, and finds the one i imported, which has been given net permissions.<p>or what if you give the templating library a mixin of some sort which accidentally exposes the privileged http library

&quot;This isn’t the case in a language like Java, where access to the outside world is mixed in with other functionality.&quot;<p>That&#x27;s why there is a SecurityManager: <a href="https:&#x2F;&#x2F;docs.oracle.com&#x2F;javase&#x2F;tutorial&#x2F;essential&#x2F;environment&#x2F;security.html" rel="nofollow">https:&#x2F;&#x2F;docs.oracle.com&#x2F;javase&#x2F;tutorial&#x2F;essential&#x2F;environmen...</a> that - if anything - is extremely granular.

At <a href="https:&#x2F;&#x2F;twitter.com&#x2F;spudowiar&#x2F;status&#x2F;1069680974110306306" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;spudowiar&#x2F;status&#x2F;1069680974110306306</a> Saleem Rashid raises an example of this principle that is especially easy to overlook, where authority arises from one entity relying on the unchecked veracity of another.