[cap-talk] Capability-secure subsets of existing languages
Ben Laurie
ben at algroup.co.uk
Tue Nov 2 14:16:36 EST 2004
David Hopwood wrote:
> Ben Laurie wrote:
>
>> Stiegler, Marc D wrote:
>>
>>> David, you are the one who was able to rip through an app that *was*
>>> written in a capability secure language, with no ambient authorities
>>> laying around, and still find great security breaches. Think how
>>> boringly easy it would be to find breaches in a program written with a
>>> language where all those super-power authorities are just laying around,
>>> begging to be abused, with only the willpower of the programmer at 2AM
>>> in the morning before the deadline standing between that power and a
>>> breach :-)
>>>
>>> While I'm responding, since you used Java as your example, just thought
>>> I'd mention that a capability-secure version of 100%pure Java, Joe-E, is
>>> possible, if you use an appropriate verifier. That version of Java could
>>> make sense -- but it is once again a true capability-secure language.
>>
>>
>> Interesting. Could this approach be applied to C++? Perl? Python?
>
>
> C++: no, not without changing the language so much that it would be
> unrecognisable or unattractive to most C++ programmers. If I wanted
> to make a C-family language cap-secure, I'd start with Cyclone
> (http://c2.com/cgi/wiki?CycloneLanguage).
I'm familiar with Cyclone, but surely most of its tricks can be done
with overloading in C++? I'll have to think about this more.
> Perl: I don't know.
>
> Python: probably yes. The reflection facilities are insecure; they would
> have to be removed or redesigned. The standard libraries would have to be
> subsetted.
Hold on - if the idea is to _vet_ the code, then surely you don't have
to change reflection, just outlaw it. If you want to change Python to be
capability secure, then don't bother, I've been there, and it won't
happen without a rewrite, IMO.
> I've been thinking about changes needed to Erlang, Oz, Python, Haskell,
> OCaml, Smalltalk/Squeak, and Cyclone to make them capability-secure, but
> they're mostly in my head at the moment rather than written up.
> (Scheme has already been done: http://pluto.mumble.net/~jar/pubs/secureos/)
I await with baited breath. But the question was: can you _vet_ code
written in these languages, not can you modify the languages to be
cap-secure.
It has been suggested to me that Haskell is a natural vehicle for
capabilities. I don't consider myself fluent enough (yet) to judge that.
What do you think?
Cheers,
Ben.
--
ApacheCon! 13-17 November! http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cap-talk
mailing list