next up previous
Next: Accountability Up: Analysis Previous: Least Privilege

Least Common Mechanism

The principle of least common mechanism concerns the dangers of sharing state among different programs. If one program can corrupt the shared state, it can then corrupt other programs which depend on it. This problem applies equally to all three Java-based systems. An example of this problem was Hopwood's interface attack [8], which combined a bug in Java's interface mechanism with a shared public variable to ultimately break the type system, and thus circumvent system security.

This principle is also meant to discuss the notion of covert storage channels [26], an issue in the design of multi-level secure systems [32]. Java presently makes no effort to limit or control covert channels, but this could be an interesting area for future work.



Dan Wallach
7/26/1997