[cap-talk] Language-based safety - notes and meat)
Stiegler, Marc D
marc.d.stiegler at hp.com
Mon Nov 15 13:46:15 EST 2004
One more point needs to be stated clearly, not to protect Alan from
losing his money, but to ensure that Jed gets the experience he is
looking for, i.e., the experience of answering the question, "can
language based capabilities work?"
The additional point is, it should be considered a break in the
implementation, not the model, if there is an unsuppressed method in a
Java class designated "safe" that can be used to grasp authority. As
Dean and David pointed out in the DarpaBrowser security review, the
greatest area of vulnerability of the current E implementation is the
taming of the Java API. If I were going to attack the current E
implementation, this is where I would go to work. But, as David and Dean
also noted in the review, breaking errors in the taming is only an
implementation breach, not an architecture breach.
> I'm not a poor student, so I'll put up some money. I do have
> a large mortgage and a wife who never met a pair of shoes she
> didn't like, so I'll only put up $100.
> Since it's my money, I get to make the rules.
> 1. You must break the model, not the implementation.
> 2. If you exploit a bug, MarkM gets a reasonable amount of
> time to fix it.
> 3. If the bug is in the underlying memory safety, either the
> JVM or the OS, you don't get paid. 4. Other bugs in the
> underlying system are fair game based on MarkM's statement
> that E shouldn't be vulnerable to them. 5. In case of a
> disagreement, a vote taken on this list will decide the
> issue. (See, Jed, I know how to stack the deck.)
> The contest starts once MarkM and Jed agree to the rules.
More information about the cap-talk