Least Risk

Over the weekend I spent a good bit of time working on the 'Secure Platforms' chapter of my book The dotCrime Manifesto.

This chapter presents a particular challenge since I want to condense material that could easily fill another book into 5,000 words or so. Another problem is explaining that the security defects in current operating systems are not a failure of architecture so much as implementation compromises.

So we have a Trusted Computing Base where security decisions are concentrated but the TCB can be bypassed because it runs in the same process space as device drivers allowing a malicious device driver to clobber it. Once the TCB is compromised the least privilege principle is lost.

While working on these themes I realized that the least privilege principle is actually misstated. Least Privilege is a mechanism, not a principle. The principle is least risk. Once stated in these terms Least Risk becomes a unifying principle: Default Deny, Reference Monitor, TCB, Least Privilege all represent different ways to realize the least risk principle.

Turning to Google to find out if anyone else had made the connection I found a 1998 paper that I wrote on Key Escrow which may be of historical interest for those who followed the fight to legalize use of strong cryptography.